## Basic server setup

Change default root password on the server

    passwd
    
Update and upgrade all installed apt-get packages

    apt-get update
    apt-get upgrade
    
## Create ansible user
    
Create a new user for ansible

    useradd ansible
    
Create home and .ssh directories for ansible

    mkdir /home/ansible
    mkdir /home/ansible/.ssh
    chmod 700 /home/ansible/.ssh
    
Allow your local machine to login to the server

    vi /home/ansible/.ssh/authorized_keys
    
Paste the contents of your local `~/.ssh/id_dsa.pub` file into the new `authorized_keys` file on the server and save it.

Update ownership and permissions of the `ansible` user home directory.

    chmod 400 /home/ansible/.ssh/authorized_keys
    chown ansible:ansible /home/ansible -R
    
Change the password for the `ansible` user.

    passwd ansible
    
Give the `ansible` user root sudo access, first open the sudoers file

    visudo

Update the file so you only have the following two users.

    root    ALL=(ALL) ALL
    ansible  ALL=(ALL) NOPASSWD:ALL
    
Lock down ssh and allow the `ansible` user to ssh in

    vi /etc/ssh/sshd_config
    
Make sure the following lines are in the file

    PermitRootLogin no
    PasswordAuthentication no
    AllowUsers ansible
    
This will allow ansible to login from any IP address, to restrict to an IP address update the last line to the following

    AllowUsers ansible@(your-ip) ansible@(another-ip-if-any)
    
Save that file then restart ssh

    service ssh restart

Open up a new terminal window (don't close your current `root` session) and try to login.

    ssh ansible@(your-server)
    
You should be able to login to the server with no password needed.

## Install and test ansible is working

    git clone git://github.com/ansible/ansible.git
    cd ./ansible
    source ./hacking/env-setup
    
Head over to Github and fork the Sovereign repository and checkout a local copy of your new fork.

    https://github.com/al3x/sovereign

Update the `hosts` file with your server's IP address and change the `user` value in `site.yml` to `ansible`

    ---
    # This is the top-level playbook that defines our entire infrastructure.
    
    - hosts: all
      user: ansible
      sudo: True
      gather_facts: False
    
      roles:
        - common
        - mailserver
        - blog
        - ircbouncer
        - monitoring
        - owncloud
        - vpn

From within your local Sovereign directory run the following

    ansible all -m ping -i ./hosts -u ansible
    
You should see something like this which means you can sucessfully hit your server using `ansible`

    xx.xx.xx.xx | success >> {
        "changed": false,
        "ping": "pong"
    }
    
## Installing MySQL

    apt-get install mysql-server mysql-client


## Setting up EncFS

    apt-get install encfs
    mkdir /encrypted-mail /decrypted-mail
    
Note: I had existing /encrypted-mail and /decrypted-mail directories so I need to move (or delete) those before I could continue.

    chgrp mail /decrypted-mail/
    chmod -R g+rw /decrypted-mail/
    gpasswd -a mail fuse
    chgrp fuse /dev/fuse; chmod g+rw /dev/fuse
    encfs /encrypted-mail /decrypted-mail --public
    Creating new encrypted volume.
    
    Please choose from one of the following options:
     enter "x" for expert configuration mode,
     enter "p" for pre-configured paranoia mode,
     anything else, or an empty line will select standard mode.
    ?> p

    New Encfs Password:
    Verify Encfs Password:
    
## Installing Tarsnap

Make sure you have the dependencies installed

    apt-get install gcc make libssl-dev zlib1g-dev e2fslibs-dev
    
Download the latest Tarsnap tarball from the [download page.](https://www.tarsnap.com/download.html])

    wget https://www.tarsnap.com/download/tarsnap-autoconf-1.0.35.tgz

Extract and install Tarsnap

    tar -xvzf tarsnap-autoconf-1.0.35.tgz
    cd tarsnap-autoconf-1.0.35/
    ./configure
    make all install clean
    
Register your server as a Tarsnap client

    tarsnap-keygen --keyfile /root/tarsnap.key --user (your-tarsnap-account-email) --machine (server-name)
    
Copy the contents of `/root/tarsnap.key` into your local `root_tarsnap.key` file which you will find in you local Sovereign repository.

## SSL certificate

    apt-get install openssl
    mkdir /etc/ssl/localcerts
    openssl req -new -x509 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
    chmod 600 /etc/ssl/localcerts/apache*
    

## Resources

- [First 5 minutes on a server](http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers)
- [Installing Ansible on OSX](http://developer24hours.blogspot.com/2013/07/installing-and-running-ansible-on-mac.html)
- [NSA proof your email](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/)