Ansible Installation
Deploy Genesis to production servers with genesis-ansible -- an automated installer with security-first architecture.
The [genesis-ansible](https://github.com/PIXELZX0/Genesis-ansible) repo is the source of truth for Ansible deployment. This page is a quick overview.
Prerequisites
| Requirement | Details |
|---|---|
| OS | Debian 11+ or Ubuntu 20.04+ |
| Access | Root or sudo privileges |
| Network | Internet connection for package installation |
| Ansible | 2.14+ (installed automatically by the quick-start script) |
What You Get
- Firewall-first security -- UFW + Docker isolation (only SSH + Tailscale accessible)
- Tailscale VPN -- secure remote access without exposing services publicly
- Docker -- isolated sandbox containers, localhost-only bindings
- Defense in depth -- 4-layer security architecture
- Systemd integration -- auto-start on boot with hardening
- One-command setup -- complete deployment in minutes
Quick Start
One-command install:
curl -fsSL https://raw.githubusercontent.com/PIXELZX0/Genesis-ansible/main/install.sh | bash
What Gets Installed
The Ansible playbook installs and configures:
- Tailscale -- mesh VPN for secure remote access
- UFW firewall -- SSH + Tailscale ports only
- Docker CE + Compose V2 -- for the default agent sandbox backend
- Node.js 24 + pnpm -- runtime dependencies (Node 22 LTS, currently
22.14+, remains supported) - Genesis -- host-based, not containerized
- Systemd service -- auto-start with security hardening
The gateway runs directly on the host (not in Docker). Agent sandboxing is
optional; this playbook installs Docker because it is the default sandbox
backend. See [Sandboxing](/gateway/sandboxing) for details and other backends.
Post-Install Setup
Switch to the genesis user
```bash
sudo -i -u genesis
```
Run the onboarding wizard
The post-install script guides you through configuring Genesis settings.
Connect messaging providers
Log in to WhatsApp, Telegram, Discord, or Signal:
```bash
genesis channels login
```
Verify the installation
```bash
sudo systemctl status genesis
sudo journalctl -u genesis -f
```
Connect to Tailscale
Join your VPN mesh for secure remote access.
Quick Commands
# Check service status
sudo systemctl status genesis
# View live logs
sudo journalctl -u genesis -f
# Restart gateway
sudo systemctl restart genesis
# Provider login (run as genesis user)
sudo -i -u genesis
genesis channels login
Security Architecture
The deployment uses a 4-layer defense model:
- Firewall (UFW) -- only SSH (22) + Tailscale (41641/udp) exposed publicly
- VPN (Tailscale) -- gateway accessible only via VPN mesh
- Docker isolation -- DOCKER-USER iptables chain prevents external port exposure
- Systemd hardening -- NoNewPrivileges, PrivateTmp, unprivileged user
To verify your external attack surface:
nmap -p- YOUR_SERVER_IP
Only port 22 (SSH) should be open. All other services (gateway, Docker) are locked down.
Docker is installed for agent sandboxes (isolated tool execution), not for running the gateway itself. See Multi-Agent Sandbox and Tools for sandbox configuration.
Manual Installation
If you prefer manual control over the automation:
Install prerequisites
```bash
sudo apt update && sudo apt install -y ansible git
```
Clone the repository
```bash
git clone https://github.com/PIXELZX0/Genesis-ansible.git
cd genesis-ansible
```
Install Ansible collections
```bash
ansible-galaxy collection install -r requirements.yml
```
Run the playbook
```bash
./run-playbook.sh
```
Alternatively, run directly and then manually execute the setup script afterward:
```bash
ansible-playbook playbook.yml --ask-become-pass
# Then run: /tmp/genesis-setup.sh
```
Updating
The Ansible installer sets up Genesis for manual updates. See Updating for the standard update flow.
To re-run the Ansible playbook (for example, for configuration changes):
cd genesis-ansible
./run-playbook.sh
This is idempotent and safe to run multiple times.
Troubleshooting
Firewall blocks my connection
- Ensure you can access via Tailscale VPN first
- SSH access (port 22) is always allowed
- The gateway is only accessible via Tailscale by design
Service will not start
```bash
# Check logs
sudo journalctl -u genesis -n 100
# Verify permissions
sudo ls -la /opt/genesis
# Test manual start
sudo -i -u genesis
cd ~/genesis
genesis gateway run
```
Docker sandbox issues
```bash
# Verify Docker is running
sudo systemctl status docker
# Check sandbox image
sudo docker images | grep genesis-sandbox
# Build sandbox image if missing
cd /opt/genesis/genesis
sudo -u genesis ./scripts/sandbox-setup.sh
```
Provider login fails
Make sure you are running as the `genesis` user:
```bash
sudo -i -u genesis
genesis channels login
```
Advanced Configuration
For detailed security architecture and troubleshooting, see the genesis-ansible repo:
Related
- genesis-ansible -- full deployment guide
- Docker -- containerized gateway setup
- Sandboxing -- agent sandbox configuration
- Multi-Agent Sandbox and Tools -- per-agent isolation