personal_infra/01_infra_setup.md

# 01 Infra Setup

This describes how to prepare each machine before deploying services on them.

## First steps

* Create an ssh key or pick an existing one. We'll refer to it as the `personal_ssh_key`.
* Deploy ansible on the laptop (Lapy), which will act as the ansible control node. To do so:
  * Create a `venv`: `python3 -m venv venv`
  * Activate it: `source venv/bin/activate`
  * Install the listed ansible requirements with `pip install -r requirements.txt`
* Keep in mind you should activate this `venv` from now on when running `ansible` commands.

## Domain

* Some services are designed to be accessible through WAN through a friendly URL.
* You'll need to have a domain where you can set DNS records and have the ability to create different subdomains, as the guide assumes each service will get its own subdomain.
* Getting and configuring the domain is outside the scope of this repo. Whenever a service needs you to set up a subdomain, it will be mentioned explictly.
* You should add the domain to the var `root_domain` in `ansible/infra_vars.yml`.

## Prepare the VPSs (vipy and watchtower)

### Source the VPSs

* The guide is agnostic to which provider you pick, but has been tested with VMs from https://99stack.com and contains some operations that are specifically relevant to their VPSs.
* The expectations are that the VPS ticks the following boxes:
  + Runs Debian 12 bookworm.
  + Has a public IP4 and starts out with SSH listening on port 22.
  + Boots with one of your SSH keys already authorized. If this is not the case, you'll have to manually drop the pubkey there before using the playbooks.
* You will need two VPSs: one to host most services, and another tiny one to monitor Uptime. We use two to prevent the monitoring service from falling down with the main machine.
* Move on once your VPSs are running and satisfies the prerequisites.

### Prepare Ansible vars

* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPSs. `[vipy]` is the services VPS. `[watchtower]` is the watchtower VPS.
* A few notes:
  * The guides assume you'll only have one VPS in the `[vipy]` group. Stuff will break if you have multiple, so avoid that.

### Create user and secure VPS access

* Ansible will create a user on the first playbook `01_basic_vps_setup_playbook.yml`. This is the user that will get used regularly. But, since this user doesn't exist, you obviosuly need to first run this playbook from some other user. We assume your VPS provider has given you a root user, which is what you need to define as the running user in the next command.
* cd into `ansible`
* Run `ansible-playbook -i inventory.ini infra/01_user_and_access_setup_playbook.yml -e 'ansible_user="your root user here"'`
* Then, configure firewall access, fail2ban and auditd with `ansible-playbook -i inventory.ini infra/02_firewall_and_fail2ban_playbook.yml`. Since the user we will use is now present, there is no need to specify the user anymore.

Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth.

## GPG Keys

Some of the backups are stored encrypted for security. To allow this, fill in the gpg variables listed in `example.inventory.ini` under the `lapy` block.
lots of stuff 2025-07-03 17:21:31 +02:00			`# 01 Infra Setup`
wip 2025-07-01 10:39:01 +02:00
			`This describes how to prepare each machine before deploying services on them.`

lots of stuff 2025-07-03 17:21:31 +02:00			`## First steps`
wip 2025-07-01 10:39:01 +02:00
			* Create an ssh key or pick an existing one. We'll refer to it as the `personal_ssh_key`.
thingies 2025-07-01 16:14:44 +02:00			`* Deploy ansible on the laptop (Lapy), which will act as the ansible control node. To do so:`
			* Create a `venv`: `python3 -m venv venv`
			* Activate it: `source venv/bin/activate`
			* Install the listed ansible requirements with `pip install -r requirements.txt`
			* Keep in mind you should activate this `venv` from now on when running `ansible` commands.
wip 2025-07-01 10:39:01 +02:00
lots of stuff 2025-07-03 17:21:31 +02:00			`## Domain`
wip 2025-07-01 10:39:01 +02:00
lots of stuff 2025-07-03 17:21:31 +02:00			`* Some services are designed to be accessible through WAN through a friendly URL.`
			`* You'll need to have a domain where you can set DNS records and have the ability to create different subdomains, as the guide assumes each service will get its own subdomain.`
			`* Getting and configuring the domain is outside the scope of this repo. Whenever a service needs you to set up a subdomain, it will be mentioned explictly.`
			* You should add the domain to the var `root_domain` in `ansible/infra_vars.yml`.

Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			`## Prepare the VPSs (vipy and watchtower)`
lots of stuff 2025-07-03 17:21:31 +02:00
Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			`### Source the VPSs`
wip 2025-07-01 10:39:01 +02:00
a few things 2025-07-09 00:32:51 +02:00			`* The guide is agnostic to which provider you pick, but has been tested with VMs from https://99stack.com and contains some operations that are specifically relevant to their VPSs.`
wip 2025-07-01 10:39:01 +02:00			`* The expectations are that the VPS ticks the following boxes:`
			`+ Runs Debian 12 bookworm.`
			`+ Has a public IP4 and starts out with SSH listening on port 22.`
lots of stuff 2025-07-03 17:21:31 +02:00			`+ Boots with one of your SSH keys already authorized. If this is not the case, you'll have to manually drop the pubkey there before using the playbooks.`
Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			`* You will need two VPSs: one to host most services, and another tiny one to monitor Uptime. We use two to prevent the monitoring service from falling down with the main machine.`
			`* Move on once your VPSs are running and satisfies the prerequisites.`
wip 2025-07-01 10:39:01 +02:00
lots of stuff 2025-07-03 17:21:31 +02:00			`### Prepare Ansible vars`
wip 2025-07-01 10:39:01 +02:00
Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPSs. `[vipy]` is the services VPS. `[watchtower]` is the watchtower VPS.
lots of stuff 2025-07-03 17:21:31 +02:00			`* A few notes:`
Separate watchtower from vipy 2025-07-21 09:39:36 +02:00			* The guides assume you'll only have one VPS in the `[vipy]` group. Stuff will break if you have multiple, so avoid that.
wip 2025-07-01 10:39:01 +02:00
lots of stuff 2025-07-03 17:21:31 +02:00			`### Create user and secure VPS access`
wip 2025-07-01 10:39:01 +02:00
thingies 2025-07-01 16:14:44 +02:00			* Ansible will create a user on the first playbook `01_basic_vps_setup_playbook.yml`. This is the user that will get used regularly. But, since this user doesn't exist, you obviosuly need to first run this playbook from some other user. We assume your VPS provider has given you a root user, which is what you need to define as the running user in the next command.
			* cd into `ansible`
lots of stuff 2025-07-03 17:21:31 +02:00			* Run `ansible-playbook -i inventory.ini infra/01_user_and_access_setup_playbook.yml -e 'ansible_user="your root user here"'`
			* Then, configure firewall access, fail2ban and auditd with `ansible-playbook -i inventory.ini infra/02_firewall_and_fail2ban_playbook.yml`. Since the user we will use is now present, there is no need to specify the user anymore.
thingies 2025-07-01 16:14:44 +02:00
lnbits deployment seems to work 2025-08-20 16:02:48 +02:00			Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth.

			`## GPG Keys`

			Some of the backups are stored encrypted for security. To allow this, fill in the gpg variables listed in `example.inventory.ini` under the `lapy` block.