Sovereign: Ansible playbooks to build and maintain your own private cloud

There are so many servers and apps being installed by Sovereign that I&#x27;m certain few would be able to keep it secure (<a href="https:&#x2F;&#x2F;github.com&#x2F;sovereign&#x2F;sovereign&#x2F;wiki&#x2F;Software-used-by-Sovereign" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sovereign&#x2F;sovereign&#x2F;wiki&#x2F;Software-used-by...</a>). The big win for the cloud is that you&#x27;re paying a fraction of the cost for access to a, typically, enormous security and operations team. If you want to build software like this that allows people to self-host, you need to scale down what you deploy to what a single person can reasonably manage. This isn&#x27;t it.<p>Fun todo: Install this somewhere, nmap it for open ports, then ask &quot;How many of these services had a remotely exploitable CVE in the last year?&quot; &quot;If one of these services had one tomorrow, would I know to patch it and take action faster than someone would takeover my box?&quot; I don&#x27;t see any containment mechanisms on any of these services beyond what&#x27;s included by default so a compromise of one service likely leads to total compromise of the entire box.<p>I had to think about this a lot with AlgoVPN (<a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;algo</a>), and we built a system with no out-of-the-box remote administration, strong isolation between services with AppArmor, CPU accounting, and privilege reductions, and limited third party dependencies and software. You can&#x27;t count on a full-time, expert system administrator.

This is a pretty cool setup! I have been tinkering in the self-hosting world for awhile now and I would say my biggest piece of advice is to learn Docker. (Not trying to shill for Docker here or start a Docker vs. Ansible flame war.) In my personal experience, Docker images (and docker-compose orchestrations) are more pervasive than Ansible playbooks and when it comes to self-hosting for personal use, hosting all my services in Docker has made it much easier to deploy&#x2F;maintain them. (Not speaking to business use cases since in that situation you should really have a deep familiarity with your tech stack and be able to roll-your-own Ansible playbook&#x2F;Dockerfiles.)<p>Also, there are so many great FLOSS alternatives to Google Apps. This repo contains some, but here are some of my favorites:<p>* Drive&#x2F;Calendar&#x2F;Photos&#x2F;Keep:<p><pre><code> - https:&#x2F;&#x2F;nextcloud.com&#x2F; (I prefer this over OwnCloud) </code></pre> * Docs&#x2F;Sheets&#x2F;Slides<p><pre><code> - https:&#x2F;&#x2F;www.onlyoffice.com&#x2F; </code></pre> * Mail<p><pre><code> - https:&#x2F;&#x2F;mailu.io&#x2F; (basically a Docker-based deployment of Postfix&#x2F;Dovecot&#x2F;etc) </code></pre> * Hangouts<p><pre><code> - Server - https:&#x2F;&#x2F;matrix.org&#x2F; - Client - https:&#x2F;&#x2F;about.riot.im&#x2F; - (I prefer Matrix.org over Jabber&#x2F;XMPP) </code></pre> * G+&#x2F;Twitter<p><pre><code> - https:&#x2F;&#x2F;joinmastodon.org&#x2F;</code></pre>

For my fellow HNers, this is &quot;private cloud&quot; in the meaning of Owncloud, not of Openstack.

Wow, didn&#x27;t expect to see Sovereign at the top of HN today! I&#x27;m one of the project contributors.<p>If this project piques your interest, please consider contributing! We could really need more helping hands.<p>Ansible is easy to learn and most (not all!) problems due to new versions are easy to fix.<p>Also, if you only want to use a fraction of what Sovereign has to offer to reduce your server&#x27;s attack surface, that&#x27;s easy! Just follow the instructions.

On the general topic of Ansible and personal infrastructure:<p>Every time I attempt to use Ansible (or its kin) to manage my own network, it feels overly obtuse and ultimately unhelpful. Its gains seem to be rooted in configuring a large number of <i>identical</i> servers, and isn&#x27;t geared for a handful of hosts with some commonalities and some differences. Writing playbooks feels like a still-imperative wrapper around shell commands, just in a bespoke and verbose YAML syntax.<p>Instead I am using my own script that runs a tree of files through a template engine, drops them on each host being configured, and then runs triggers based on what has changed. This seems utterly simplistic, lacks polish, eschews common practices, etc. But the overall configuration seems straightforwardly grokkable compared to the heavy tools.

For those in the market to run a private cloud, please try <a href="https:&#x2F;&#x2F;cloudron.io" rel="nofollow">https:&#x2F;&#x2F;cloudron.io</a> . Our motivation is to make it simple to selfhost apps . The main advantage is that we take care of automatic updates across all the apps we package. Happy to answer any questions.<p>Disclaimer: I am the co-founder

This looks super cool.<p>Though somewhat offtopic, this line absolutely cracked me up.<p>&gt;A VPS (or bare-metal server if you wanna ball hard).<p>I can appreciate a sense of humor.

There seems to be a few questionable picks in the readme.<p>* Why pick ownCloud over NextCloud? The former&#x27;s forum had 139 posts in the last 7 days and the latter&#x27;s forum had about 1700. Also some of the features in the former product are locked for enterprise only.<p><a href="https:&#x2F;&#x2F;central.owncloud.org&#x2F;about" rel="nofollow">https:&#x2F;&#x2F;central.owncloud.org&#x2F;about</a><p><a href="https:&#x2F;&#x2F;help.nextcloud.com&#x2F;about" rel="nofollow">https:&#x2F;&#x2F;help.nextcloud.com&#x2F;about</a><p>* Tarsnap is a paid online service. You could try restic command to have encrypted backup to remote storages.<p>* cgit is an old project released more than 10 years ago and despite being written by the author of wireguard, we have far better stuff like Gitea (or its fork source Gogs) to have user access control with nice web interface for git project management.

I currently just let my desktop run constantly. It runs Windows in a KMS for games and sleeping breaks it so I never even suspend. It only seems to use about $10&#x2F;month in power. I have been considering using DDNS through my router and Cloudflare and trying to create a iOS&#x2F;Android app that will automatically upload my photos to the my DDNS for storage on my desktop. It feels a little crazy but the idea of syncing my photos to my own machine with no middle man is comforting.<p>DDNS seems like it&#x27;s a local too good to be true for solving the dynamic IP problem. I&#x27;d prefer to have a static IP for my gigabit Internet but sadly Webpass doesn&#x27;t allow it. Does anyone have experience doing something like this?

I looked at Soverign at the time I was setting up private cloud on a $5 VPS (prgmr.com with 1.5 gb ram)<p>I went with YunoHost.<p><a href="https:&#x2F;&#x2F;yunohost.org&#x2F;#&#x2F;apps" rel="nofollow">https:&#x2F;&#x2F;yunohost.org&#x2F;#&#x2F;apps</a><p>I initially tried sovereign, but once I figured out I had to pay for tarsnap backup service, and that it did not have ansible for nginx setup (I needed that experience for work stuff), I went with Yunohost.<p>Sofar I am happy with YunoHost and subscribed to send periodic donation to the project.<p>Overall, though, if you are working with ansible at work, or want to advance in devops field, learning ansible and contributing to Sovereign project would be a good path to take.

Dumb question maybe... but why would you not just configure this yourself on a single virt&#x2F;host? Most of these services would take less than a day to configure. So many questions on why this is a good thing.<p>Like, there are countless ways to configure your MTA and spam filtering- if you are going to have to dig through this config.. why not just roll your own?<p>Can someone explain to me why you need ansimble for this? or am I just being stupid and this is like an exercise to show what the toolchain can do?

As the CTO of an established company, I cannot imagine a situation where I would prefer to maintain my own infrastructure vs using managed cloud services.<p>If I get locked in on a specific product, it&#x27;s way cheaper to redesign that around an alternative vendor than it is to maintain a private cloud (Ansible, Kubernetes and friends included).<p>As a nerd, I&#x27;d prefer to do things myself, but I have business needs to attend to.

Is there a benefit to doing this over something like Cloudron(1)?<p>I see this being for people that just want things to work without much of the effort to make it so. If that’s the case, a simple web UI that treats all the little solutions as “apps” in a way makes sense. Not plugging here, just curious to the practical everyday differences.<p>1. <a href="https:&#x2F;&#x2F;cloudron.io" rel="nofollow">https:&#x2F;&#x2F;cloudron.io</a>

I&#x27;ve used this project off and on for years, and it&#x27;s always worked perfectly. I&#x27;d have an infosec conference to go to, I&#x27;d setup a host with wireguard, give my friends the cert, we&#x27;d all tunnel out though that, then tear it down after the con. Total cost a few dollars (most are $5&#x2F;month)

Does anyone here on HN have experience <i>using</i> Sovereign in a team setting? I have a few questions:<p>* <i>Mobile contact and calendar syncing</i>: How well and reliably does it work?<p>* <i>Calendar group features</i>: how well do they work?<p>* <i>Setup and maintenance</i>: how much hassle is involved?

Isn&#x27;t this just duplicating effort that&#x27;s probably already been done, in many cases by the first-party maintainers, in Dockerfiles?<p>I don&#x27;t mean to start &#x27;Docker vs. Ansible&#x27;, I just wonder why if you wanted a quick way to setup a single-server &#x27;own private cloud&#x27; you wouldn&#x27;t just go with what already exists, and list the images you want in a docker-compose.yaml file?<p>(Which would additionally set you up for &#x27;scaling&#x27; if you had any concern that you might be able to save some cash with a two or three smaller servers than one big one by the time you&#x27;d installed everything you want.)

Nice resource, will definitely give it a spin, also this is the first time I&#x27;ve ever come accross `Tarsnap` looks really interesting too !

Nowhere do I see mention of how to update and upgrade this thing after initial deployment... How does it work ?

I&#x27;ve used Ansible successfully to turn Windows laptops into Wintendo machines :)

One of the most important things when managing data is not losing it. Does this have a solution for doing backups built in or do you come up with your own solution like using something your web host provides?

Version for a Pi.<p>Version for BSD.

I wrote something similar that&#x27;s custom for my personal infrastructure:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;sumdog&#x2F;bee2" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;sumdog&#x2F;bee2</a><p>There are some blog posts in the README that go into how I built a lot of it. A lot of it is specialized for me though. I have a ton of rspec&#x2F;tests but I don&#x27;t have a real config schema or entirely useful error messages. I might add some in the future.<p>Looking at the list in this, I&#x27;d advice against nextCloud(ownCloud). I recently setup their official Docker containers and the web piece works alright, but their F-droid app continually crashes and I had to uninstall it and the nextcloud-client in Gentoo&#x27;s package manager segfaults at home and refused to build at work.<p>I&#x27;ve read other stories of data loss with nextcloud. It might be better now but my initial experiences made me use syncthing. Syncthing does use relays if you&#x27;re behind a NAT, but if you have openvpn setup, you can also force it to use a direct IP address as well.<p>If you&#x27;re thinking if self hosting and have the time, I&#x27;d suggest building it yourself; borrowing (and properly accrediting&#x2F;licensing) other open source projects, their ansible scripts and containers and such. You learn a whole lot about why this tooling is so complex.

Quit this damn nonsense with Ansible or whatever garbage fashion fad is in vogue these days and finally learn how to make OS packages so you can do configuration management with normal shell scripting inside of them, because that&#x27;s what it&#x27;s for. The amount of incompetence and insanity from incompetence has gone too far. Damn it, this is exactly why IT sucks so bad!!!