Install and configure Ansible
Actualitzat 390 Day(s) AgoPúblic

We configure our servers using Ansible. The fist step is to install Ansible on your personal computer
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html

Now you have Ansible installed, we're going to configure a couple of PATHs.

Create a directory where you will work from

mkdir ~/CommonsCloud/ansible
mkdir ~/CommonsCloud/ansible/sensitive

Edit ~./ansible.cfg

[defaults]

inventory = ~/CommonsCloud/ansible/hosts
vault_password_file = ~/CommonsCloud/ansible/sensitive/vault_password.txt

Hosts file ~/CommonsCloud/ansible/hosts

This is the file where all the servers are declared and their corresponding parameters

Here is an example

---
# This is the default ansible 'hosts' file.
#
# https://github.com/ansible/ansible/blob/devel/examples/hosts.yaml
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Top level entries are assumed to be groups, start with 'all' to have a full hierarchy
#   - Hosts must be specified in a group's hosts:
#     and they must be a key (: terminated)
#   - groups can have children, hosts and vars keys
#   - Anything defined under a host is assumed to be a var
#   - You can enter hostnames or IP addresses
#   - A hostname/IP can be a member of multiple groups

all:
  vars:
    ansible_user: <your_ssh_username>
    ansible_port: <ssh port (22 defaults)>

  hosts:
    cc-03.commonscloud.coop: 
      ansilbe_host: <public_ip>
  
  children:
    Commonscloud:
      vars:
        ldap_provider: ldaps://<ldap FQDN>:636/
        ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop

      hosts:
        # core
        cc-00.commonscloud.coop:
          ansible_host: <public_ip>
        cc-01.commonscloud.coop:
          ansible_host: <public_ip>
          
        # test
        cc-10.commonscloud.coop:
          ansible_host: <public_ip>
          
        # production
        cc-20.commonscloud.coop:
          ansible_host: <public_ip>
        cc-21.commonscloud.coop:
          ansible_host: <public_ip>
        cc-23.commonscloud.coop:
          ansible_host: <public_ip>
          backup_dirs:
            - /var/www/
            - /var/backups/mysql
          backup_cron_hour: 3
          backup_cron_minute: 30
                       
    Nextcloud:
      vars:
        ldap_basegroups: ou=collectives,o=femprocomuns,dc=commonscloud,dc=coop

      hosts:
        # the config of the nextcloud server to be found at FQDN nextcloud1.commonscloud.coop
        nextcloud1.commonscloud.coop:
          ansible_host: <public_ip>
          ldap_service: cn=nextcloud1,ou=serveis,o=femprocomuns,dc=commonscloud,dc=coop
          nextcloud_theme_name: "CommonsCloud"
          nextcloud_theme_color: E63900

~/CommonsCloud/ansible/sensitive

We save sensitive data like passwords, passphrases, ssh (public) keys, usernames, etc, in this directory organized into some subdirectories.

mkdir ~/CommonsCloud/ansible/sensitive/borg_passphrase
mkdir -p ~/CommonsCloud/ansible/sensitive/keys/servers/

ssh public keys

When we create a new user on a server, we upload the users id_rsa.pub to the new user's authorized_keys file.
All public keys are saved in ~/CommonsCloud/ansible/sensitive/keys/ as <username>.id_rsa.pub So, if your username on the server is 'alice', save the file as so.

cp ~/.ssh/id_rsa.pub ~/CommonsCloud/ansible/sensitive/keys/alice.id_rsa.pub

Other people who will also access the server with sudo permission need their keys saved the same way too.

Vault password

We encrypt a file that contains service passwords and other data using a password.
Make a password and save it.

openssl rand -hex 32 > ~/CommonsCloud/ansible/sensitive/vault_password.txt

Create an encrypted file with some parameters we'll need later. Change the data to fit.

ansible-vault create ~/CommonsCloud/ansible/sensitive/secret_vars.yml

secret_vars.yml content

---
postfix_sasl_password: a_secret
backup_server: FQDN of your backup server
ldap_base_dn: dc=commonscloud,dc=coop
ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop
ldap_replicator_password: xxxxxxxxxxx
backup_server_port: 22
Últim autor
chris
Projectes
Cap
Subscriptors
Cap