This is deployment for my personal server with outline/shadowsocks on board for me and my friends to bypass internet censorship.
https://getoutline.org/get-started/#step-3
There are two types of hosts: frontman and proxy. Frontman should be deployed as a single instance (sharding under single DNS record and/or IP address is allowed). Proxies could be deployed as many instances as needed, each instance should have dedicated IP address and DNS record (if exists). All hosts should be Debian hosts with public IPs.
It is a single linux host with the following tools installed and configured:
- nginx serving static content over HTTPS:
- static html pages with installation instructions. The user is provided with a private instruction link with a personal ShadowSocks configuration, which the user uses once to install the ShadowSocks configuration
- personal dynamic ShadowSocks configuration json files (SIP008) for each client, which is used by ShadowSocks client each time before connecting to a ShadowSocks server
- certbot for automatic and free renewal of HTTPS certificates used by nginx
Playbook: frontman.yml
As many proxy hosts as needed could be deployed but each one should have its own IP address and/or DNS record. Proxy(ies) is/are linux host(s) with installed
- nginx that proxies traffic:
- if connection is recognized as TLS, request is handled as HTTPS connection
- otherwise; connection is proxied to ShadoSocks server
- outline-ss-server: Shadowsocks implementation made by https://jigsaw.google.com that supports multiple access keys
- prometheus: monitoring to detect traffic abuse
- node-exporter: Prometheus exporter for hardware and OS metrics
Playbook: proxies.yml
This part requires Ansible knowledge. The deployment is tested on and implemented for Debian only.
- Initialize pre-commit hook to prevent secrets from being leaked:
- Install pre-commit
- Initialize pre-commit hook:
pre-commit install
- Create
vault.txt
file in the repository root. Put your vault password file in it. Make sure that only you have permissions to read/write it:chmod 600 vault.txt
! - If servers are not configured yet, skip this step and go to "New server setup" section. Otherwise if server is already configured, add SSH private key to
id_rsa
file in the root of the local repository. Make sure that only you have permissions to read/write it:chmod 600 id_rsa
!
Users are stored in encrypted users.yml file with the following schema:
users:
user1_name: user1_uuid
user2_name: user2_uuid
user3_name: user3_uuid
To create a new user, you should:
- Decrypt the file with users:
make decrypt_users
- Add/update users and secrets to the file
- Encrypt the file back:
make encrypt_users
- Generate new SSH key and store it in
id_rsa
file in the root of the local repository:If you have already generated keys, skip this step.ssh-keygen -t ed25519 -C "[email protected]"
- Add content of
is_rsa.pub
file (is also a result of previous command) to/root/.ssh/authorized_keys
file on a new server. Make sure that proper access rights are granted:chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keys
! - Update hosts file
- Decrypt hosts file:
make decrypt_hosts
- Add/update servers in the file
- Encrypt hosts file:
make encrypt_hosts
- Decrypt hosts file:
- Update inventory variables
- Create a new directory in group_vars and provide variable specific to the particular server
- Update list of servers in vars.yml
- Update list of hosts in proxies.yml
Read code and find out
Just push to master branch. GitHub Actions will automatically apply updates to the servers.
The following GitHub secrets are required for CD:
KNOWN_HOSTS
: list of known hosts as in.ssh/known_hosts
SSH_PRIVATE_KEY
: SSH private key to access serversVAULT_PASSWORD
: vault password
Successful workflow generates an encrypted URIs.txt
you can download to repository root and run the following command
to decrypt the file:
make decrypt_uris
It can be useful for sharing SS URIs with users.
make deploy_frontman deploy_proxies
make generate_user
ansible-vault decrypt --vault-password-file vault.txt
ansible-vault encrypt --vault-password-file vault.txt
ansible-vault encrypt --vault-password-file vault.txt <file_path>
ansible-vault decrypt --vault-password-file vault.txt <file_path>