Mike Ashley

Self-Hosting with Sovereign

October 26, 2014

I’ve moved the family’s Internet domain away from Google and over to Linode. I used Sovereign, a set of Ansible playbooks for maintaining a personal cloud. I’m using this post to document my initial experience with Sovereign and the server I built with it.

Sovereign provides a lot of services. I’ve chosen to implement just a few of them:

It’s a pretty basic set of services, although Sovereign does a lot more behind the scenes for backups, intrusion prevention, spam fighting, etc. It’s an enormous help for getting a practical, secure server running.

Configuring the server was traightforward, although there were a few hiccups along the way. I hope these notes are helpful for others using Sovereign.

Server reboots

The server uses an encrypted filesystem for personal data such as email and OwnCloud files. If the server is restarted, the file system must be remounted. It’s easy to do this by rerunning the encfs playbook; you just need to know that it’s necessary.

Handling multiple users

Sovereign’s setup seems to be designed for a single user, but I am also supporting my family. Out of the box, Sovereign’s configuration has to be updated and playbooks rerun to change email passwords, add accounts, or change mail forwarding. This was ok for my family of four but obviously won’t scale.

Contacts

I lost the pictures associated with my contacts when I migrated from Google to OwnCloud. I am not sure if the problem was export from Google or import into OwnCloud. I lost all pictures, but this only affected about ten contacts. It was a nuisance for me but may be a bigger problem for others.

Migrating email away from Google

The Sovereign documentation recommends larch for migrating email. Indeed, it works great. Unfortunately, it can lead to email duplication at the destination if an email message has more than one tag. As far as I know there is no way arond this. You just have to deal with it as a cost of leaving Google.

Webmail

I installed on a Debian Wheezy box. Debian is stable, but it lags on package updates. Specifically, Roundcube 0.7.x gets installed, but the themes for the client side these days are all implemented for the 0.9 and 1.0 series.

I haven’t investigated what it will take to upgrade to a more recent version of Roundcube. It might be easy; I am just noting what I got out of the box.

Apple Mail

Apple Mail for OS X and Apple’s Mail app for iOS are both a pain. There are two reasons: mailbox subscription and server configuration.

The mailbox subscription problem is just a nuisance. Sovereign configures dovecot to use sieve for server-side handling of incoming mail. As configured, Roundcube does not subscribe to the sieve mailbox. Apple’s mail clients both do, and it does not appear to be possible to unsubscribe. Therefore there’s some noise in the folder list on those clients.

Configuration is a bigger problem. Sovereign sets up an autoconfigure XML file at the right place, and Thunderbird/Icedove use it correctly. Apple’s mail clients do not look for it, though. They must be manually configured. That’s not a problem for me, but it’s an ordeal for the kids. I had to resort to amateur IT support and write instructions with screenshots so that my older daughter who is away at college can get her email again. Kind of embarassing, to be honest, although I won’t through Apple under the bus without knowing why they don’t look for the autoconfigure XML.

Miscellaneous configuration problems

I made two other corrections for my setup.

Final thoughts

I’ve been running the server for over a week now, and I got the family set up this weekend. So far, so good.

Tarsnap is a great backup service. I would never host my family’s email and other data without backups. I’ve been using Tarsnap for over a year on another machine, and it’s been a rock.