This is deployment for my personal server with outline/shadowsocks on board for me and my friends to bypass internet censorship.
https://getoutline.org/get-started/#step-3
There are two types of hosts: frontman and proxy. Frontman should be deployed as a single instance (sharding under single DNS record or IP address is allowed). Proxies could be deployed as many instances as needed, each instance should have dedicated IP address and DNS record (if exists). All hosts should be Debian hosts with public IPs.
It is a single linux host serving static content over HTTPS:
- Static html pages with installation instructions. User opens a received link to get an instruction with personal ShadowSocks configuration
- Personal dynamic ShadowSocks configuration (SIP008) for each client
- certbot for automatic and free renewal of HTTPS certificates
Playbook: frontman.yml
As many proxy hosts as needed could be deployed but each one should have its own IP address and/or DNS record. Proxy(ies) is/are linux host(s) with installed
- nginx that proxies traffic:
- if connection is recognized as TLS, request is handled as HTTPS connection
- otherwise; connection is proxied to Shadosocks
- outline-ss-server: Shadowsocks implementation made by https://jigsaw.google.com that supports multiple access keys
- prometheus: monitoring to detect traffic abuse
- node-exporter: Prometheus exporter for hardware and OS metrics
Playbook: proxies.yml
This part requires Ansible knowledge. The deployment is tested on and implemented for Debian only.
- Initialize pre-commit hook to prevent secrets from being leaked:
- Install pre-commit
- Initialize pre-commit hook:
pre-commit install
- Create
vault.txtfile in the repository root. Put your vault password file in it. Make sure that only you have permissions to read/write it:chmod 600 vault.txt! - If servers are not configured yet, skip this step and go to "New server setup" section. Otherwise if server is already configured, add SSH private key to
id_rsafile in the root of the local repository. Make sure that only you have permissions to read/write it:chmod 600 id_rsa!
Users are stored in encrypted users.yml file with the following schema:
users:
user1_name: user1_uuid
user2_name: user2_uuid
user3_name: user3_uuidTo create a new user, you should:
- Decrypt the file with users:
make decrypt_users - Add/update users and secrets to the file
- Encrypt the file back:
make encrypt_users
- Generate new SSH key and store it in
id_rsafile in the root of the local repository:If you have already generated keys, skip this step.ssh-keygen -t ed25519 -C "your_email@example.com" - Add content of
is_rsa.pubfile (is also a result of previous command) to/root/.ssh/authorized_keysfile on a new server. Make sure that proper access rights are granted:chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keys! - Update hosts file
- Decrypt hosts file:
make decrypt_hosts - Add/update servers in the file
- Encrypt hosts file:
make encrypt_hosts - Decrypt hosts file:
- Update inventory variables
- Create a new directory in group_vars and provide variable specific to the particular server
- Update list of servers in vars.yml
- Update list of hosts in proxies.yml
Read code and find out
Just push to master branch. GitHub Actions will automatically apply updates to the servers.
The following GitHub secrets are required for CD:
KNOWN_HOSTS: list of known hosts as in.ssh/known_hostsSSH_PRIVATE_KEY: SSH private key to access serversVAULT_PASSWORD: vault password
Successful workflow generates an encrypted URIs.txt you can download to repository root and run the following command
to decrypt the file:
make decrypt_uris
It can be useful for sharing SS URIs with users.
make deploy_frontman deploy_proxies
make generate_user
ansible-vault decrypt --vault-password-file vault.txt
ansible-vault encrypt --vault-password-file vault.txt
ansible-vault encrypt --vault-password-file vault.txt <file_path>
ansible-vault decrypt --vault-password-file vault.txt <file_path>