We configure our servers using Ansible. The fist step is to install Ansible on your personal computer
Now you have Ansible installed, we're going to configure a couple of PATHs.
Create a directory where you will work from
inventory = ~/CommonsCloud/ansible/hosts
vault_password_file = ~/CommonsCloud/ansible/sensitive/vault_password.txt
##Hosts file ~/CommonsCloud/ansible/hosts
This is the file where all the servers are declared and their corresponding parameters
Here is an example
# This is the default ansible 'hosts' file.
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Top level entries are assumed to be groups, start with 'all' to have a full hierarchy
# - Hosts must be specified in a group's hosts:
# and they must be a key (: terminated)
# - groups can have children, hosts and vars keys
# - Anything defined under a host is assumed to be a var
# - You can enter hostnames or IP addresses
# - A hostname/IP can be a member of multiple groups
ansible_port: <ssh port (22 defaults)>
ldap_provider: ldaps://<ldap FQDN>:636/
# the config of the nextcloud server to be found at FQDN nextcloud1.commonscloud.coop
We save sensitive data like passwords, passphrases, ssh (public) keys, usernames, etc, in this directory organized into some subdirectories.
mkdir -p ~/CommonsCloud/ansible/sensitive/keys/servers/
When we create a new user on a server, we upload the id_rsa.pub to the new user's authorized_keys file.
All public keys are saved in ~/CommonsCloud/ansible/sensitive/keys/ as <username>.id_rsa.pub So, if your username on the server is 'alice', save the file as so.
cp ~/.ssh/id_rsa.pub ~/CommonsCloud/ansible/sensitive/keys/alice.id_rsa.pub
Other people who will also access the server with sudo permission need their keys saved the same way too.
### Vault password
We encrypt a file that contains service passwords and other data using a password.
Make a password and save it.
openssl rand -hex 32 > ~/CommonsCloud/ansible/sensitive/vault_password.txt
Create an encrypted file with some parameters we'll need later. Change the data to fit.
ansible-vault create ~/CommonsCloud/ansible/sensitive/secret_vars.yml
backup_server: FQDN of your backup server