This guide details the steps to deploy a production-ready Cafe Variome instance on a Linux server.
- Operating System: Ubuntu 24.04+ or Debian 12+ machine.
- Access: SSH access to the target machine with a user that has
sudoprivileges (referred to as$BASTION_USER). - Ansible: Ansible installed on your control machine.
Clone the Linux Server Management repository to your control machine:
git clone https://github.com/NeuroTech-Platform/linux-server-management.git
cd linux-server-managementBefore running any playbooks, you need to define your target host and its specific configuration.
Create an inventory file (e.g., inventories/production/inventory) to define your target host.
[cafe-variome-node]
your-server-ip-or-hostname Ansible needs to know which servers to manage. This file maps your server's hostname or IP address to a group name (cafe-variome-node) that the playbooks will target.
Create a host variable file to configure the server, including user management and security settings.
Create the directory and file: host_vars/cafe-variome-node/vars.yml.
Use the following template based on host_vars/README.md of upstream repository, adjusting values as needed (especially SSH keys and passwords):
---
# User Management
MANAGE_USERS: true
SSH_USERLIST:
- username: admin
admin: true
public_key: "ssh-ed25519 AAAA..." # Replace with your actual public key
initialpassword: "94_ChangeMe123!" # Replace with a secure password
# Security & Hardening
DISABLE_ROOT_ACCOUNT: true
MANAGE_SSH: true
SSHD_ADMIN_NET:
- "0.0.0.0/0" # Restrict this to your management IP/subnet for better security
# Firewall
MANAGE_UFW: true
UFW_OUTGOING_TRAFFIC:
- { "port": 22, "proto": "tcp" }
- 53
- { "port": 80, "proto": "tcp" }
- { "port": 443, "proto": "tcp" }
- { "port": 123, "proto": "udp" }
# Docker Configuration
DOCKER_USER: "dockeruser"
DOCKER_COMPOSE: trueHost variables allow you to define specific configurations for a single host. Here, we define the users to be created, their SSH keys, firewall rules, and Docker settings. This ensures your server is configured exactly as needed for Cafe Variome. Most other settings are secure by default, inheriting from the upstream hardening roles and the repository's setup-playbook.yml and install-docker-rootless.yml.
Run the setup playbook to apply security hardening, create users, and configure the firewall.
$BASTION_USER = "server_bootstrap_username_usually_ubuntu_or_root"
ansible-playbook -i inventories/production/inventory -l cafe-variome-node -u $BASTION_USER setup-playbook.ymlThis playbook applies security best practices (CIS benchmarks) to harden the operating system. It creates the specified users, configures the firewall (UFW), and secures the SSH daemon to prevent unauthorized access.
Note: Replace
$BASTION_USERwith the initial SSH user of the machine (e.g.,ubuntuorroot).
Install Docker in rootless mode for enhanced security with CIS controls.
$BASTION_USER = "possibly_new_user_after_previous_run"
ansible-playbook -i inventories/production/inventory -l cafe-variome-node -u $BASTION_USER install-docker-rootless.yml -KRunning Docker in rootless mode improves security by running the Docker daemon and containers as a non-root user. This mitigates potential vulnerabilities where a container breakout could lead to root access on the host. The setup also follows CIS recommendations as close as possible.
The -K flag prompts for the sudo password, which is required for some steps.
Note
This section is still in testing and in the writing process.
This project and part of its upstream contributions have received funding from the IMI 2 Joint Undertaking (JU) under grant agreement No. 101034344.