This repository contains the Ansible code that Maximum Ethics uses to create our web servers. This code creates a Linode virtual server running Arch Linux, and installs all of the software and content necessary to serve the websites we host. It also acts as documentation for how our web servers are configured, should we ever need to recreate them or move to a different hosting option. This is currently written for the specific websites we host, and will have to be generalized later.
This might be useful to you if:
- You want to host one or more websites in an ethical and sustainable manner, on your own servers. Perhaps you can study our approach to inform your own.
- You want us to host your websites, and you're a techie who wants to help set up your desired configuration.
- You are currently hosting a website with us as a client, and
- have noticed something you want to change about your hosting.
- instead want to host it yourself.
- You are employed with us, and
- wish to go your own way.
- want to host websites elsewhere using our familiar tech stack.
- You have knowledge or expertise in ethical web hosting and you'd like to contribute to our goals, with no direct benefit to yourself.
There are plenty of businesses that put profit first. Maximum Ethics is a place for employees and customers who prioritize their values.
- Transparency + Accountability - We use open source software. We want it to be clear what we are using, and how.
- Avoiding lock-in - People should host their websites with us because it's a pleasant experience, not because they are trapped. We want it to be easy for customers or workers to take their business elsewhere. Providing the code that sets up our web server makes it easy to create your own copy of websites hosted on our infrastructure.
- Sharing knowledge - We want to contribute our code back to the community, to help others as we were helped.
- create virtual server on Linode web hosting
- install Arch Linux, Ubuntu Linux, or (eventually) Alpine Linux (should be easy to change distros)
- set up users
- configure Uncomplicated Firewall
- use Caddy web server to publish web pages
- host hand-coded PHP websites
- use Hugo static site generator to create web content
Creating a linode
- Options for configuring the Linode server that will be created to host the websites. Many of these are configured in the comments on or above the line with the variable.
- hosts_group - configures what host group the newly created linode will be entered under in your Ansible hosts file
- linode_label - the name of the Linode server created
- Default web server password that will be used for all users until they log in for the first time and are forced to change their passwords
- Web server user configurations
- Users are specified with a username, the default password, their preferred shell, and their sshkey.
- users var can contain multiple users, though the user who is creating the linode with this script MUST be the last user in the list.
- Multiple sshkeys can be specified if desired
- Only the user creating the linode needs to be specified, but until server setup is completed, only users in this vars file will be created and thus able to log on.
Server Setup
- Server setup variables that are always used, but can be overridden by the other vars files.
- Variables that are always used, but can be overridden by the other vars files.
- https://github.com/maximum-ethics/linode-caddy/blob/master/roles/sunrise/vars/local_tls.yml
- When you set local_tls, this switches you to use the local Caddyfile configuration so Caddy creates its own local certificates rather than bothering Let's Encrypt. This means that in order to view a website hosted on that server, you must accept our local HTTPS cert. Clearly this is only for testing purposes, not for production websites.
- Currently all servers default to local_tls, to avoid accidentally making things public. The only public server is america, and if you use our inventory, it will set local_tls to false. If you're working on america and accidentally set local_tls to true or fail to specify, you'll take our production server offline, so don't do that.
- vars used when the host is detected as Ubuntu
- Arch Linux specific variables
- runs when the host is detected as Arch Linux
Dependencies:
- ansible
- git
First, install git.
Then clone this repo to your local machine:
git clone https://github.com/maximum-ethics/linode-caddy.git
If you have push privileges on this repo, we recommend instead using SSH. First, you'll have to add an SSH key (that exists on your local machine) to GitHub. https://docs.github.com/en/authentication/connecting-to-github-with-ssh
Then:
git clone [email protected]:maximum-ethics/linode-caddy.git
First, install Ansible. On macOS we recommend first installing the Homebrew package manager, and then using that to install Ansible.
We are working on a set of installation scripts to bootstrap your local system using chezmoi, which would install Ansible as well, but they are not yet ready for public consumption.
Once you've installed Ansible, you may be able to install our server software onto your local machine by running commands like this from the git repo:
ansible-playbook local-machine.yml --tags local --ask-become-pass
ansible-playbook fish-local.yml --ask-become-pass
Or you might not, those are experimental works in progress.
https://www.linode.com/docs/products/tools/linode-api/guides/get-access-token/
We recommend using ED25519 SSH keys. Mozilla has some guidance for key generation.
at e.g. /etc/ansible/host_vars/localhost/vars.yml (or /usr/local/etc/ansible/hosts if you use homebrew on Mac to install Ansible)
inventory_directory: [e.g. /etc/ansible]
maximum_ethics_linode_token: [insert yours]
ssh_pub_key: [insert yours]
modify roles/new-linode_create/vars/main.yml if you are changing the linode label or whatever
add your ssh key to roles/new-linode_initiate-users/vars/main.yml and roles/sunrise/vars/main.yml
ansible-playbook new-linode.yml --ask-become-pass
e.g. ssh america
Change your password when prompted, and then you will be automatically logged out. Then you can log in again.
If you are working on our existing servers, and not creating a new Linode, you may be able to use the inventory file included in the repo, like so:
ansible-playbook sunrise.yml --ask-become-pass -i inventory
If you're working on your own servers, you'll need your own local inventory file.
This includes setting up the Caddy v2 web server, serving some hand-coded PHP websites and Hugo-generated websites.
WAIT! If you are changing the IP address for an existing domain name, consider the TTL! Linode's default TTL is 24 hours.
If you power up your new Caddy webserver before DNS resolves correctly, it won't be able to get certificates from Let's Encrypt, and won't serve your websites. Worse, you may annoy Let's Encrypt by exceeding their rate limits (requesting certs you can't get) and then you'll have to wait even longer!
Rather than testing changes publicly on the open web, set up a dev environment so that you can test this playbook without requesting certs from Let's Encrypt. If you use the local_tls option, Caddy will create its own local certificates on the server, and you can manually install the certs on your personal computer and point your /etc/hosts file at the correct IP address to preview what the site will look like.
Make sure all domains resolve to the correct IP addresses before using the public production Caddy config.
If you cloned with SSH as we recommend, a simple git push should work.
If you used HTTPS to clone the repo (not recommended), go to GitHub and sign in.
Profile->Settings->Developer Settings->Personal access tokens->Generate new token
git config --global credential.helper store
That will save your credentials next time you run a command. Then use the token in place of your password when you:
git push
We are planning to Give up GitHub. As part of our migration plan, we will begin using hydra hosting, setting up multiple git remotes of equal status. Currently we're using SourceHut, Codeberg, and GitHub, but once we have enough other hosts we'll eliminate GitHub.
You can run git remote set-url to switch remote locations if a host goes down. Right now, your options are:
- https://git.sr.ht/~skyfaller/linode-caddy
- https://codeberg.org/maximum-ethics/linode-caddy.git
- https://github.com/maximum-ethics/linode-caddy.git
Collaborators may prefer SSH:
[email protected]:~skyfaller/linode-caddy[email protected]:maximum-ethics/linode-caddy.git[email protected]:maximum-ethics/linode-caddy.git
But before pushing any commits, please make sure you know how to fetch from and push to all remotes simultaneously.
This project is licensed under the GNU Affero General Public License version 3 or any later version at your choice. See the LICENSE file for details.