Install and configure Ansible
Actualitzat 390 Day(s) AgoPúblic

We configure our servers using Ansible. The fist step is to install Ansible on your personal computer

Now you have Ansible installed, we're going to configure a couple of PATHs.

Create a directory where you will work from

mkdir ~/CommonsCloud/ansible
mkdir ~/CommonsCloud/ansible/sensitive

Edit ~./ansible.cfg


inventory = ~/CommonsCloud/ansible/hosts
vault_password_file = ~/CommonsCloud/ansible/sensitive/vault_password.txt

Hosts file ~/CommonsCloud/ansible/hosts

This is the file where all the servers are declared and their corresponding parameters

Here is an example

# This is the default ansible 'hosts' file.
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Top level entries are assumed to be groups, start with 'all' to have a full hierarchy
#   - Hosts must be specified in a group's hosts:
#     and they must be a key (: terminated)
#   - groups can have children, hosts and vars keys
#   - Anything defined under a host is assumed to be a var
#   - You can enter hostnames or IP addresses
#   - A hostname/IP can be a member of multiple groups

    ansible_user: <your_ssh_username>
    ansible_port: <ssh port (22 defaults)>

      ansilbe_host: <public_ip>
        ldap_provider: ldaps://<ldap FQDN>:636/
        ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop

        # core
          ansible_host: <public_ip>
          ansible_host: <public_ip>
        # test
          ansible_host: <public_ip>
        # production
          ansible_host: <public_ip>
          ansible_host: <public_ip>
          ansible_host: <public_ip>
            - /var/www/
            - /var/backups/mysql
          backup_cron_hour: 3
          backup_cron_minute: 30
        ldap_basegroups: ou=collectives,o=femprocomuns,dc=commonscloud,dc=coop

        # the config of the nextcloud server to be found at FQDN
          ansible_host: <public_ip>
          ldap_service: cn=nextcloud1,ou=serveis,o=femprocomuns,dc=commonscloud,dc=coop
          nextcloud_theme_name: "CommonsCloud"
          nextcloud_theme_color: E63900


We save sensitive data like passwords, passphrases, ssh (public) keys, usernames, etc, in this directory organized into some subdirectories.

mkdir ~/CommonsCloud/ansible/sensitive/borg_passphrase
mkdir -p ~/CommonsCloud/ansible/sensitive/keys/servers/

ssh public keys

When we create a new user on a server, we upload the users to the new user's authorized_keys file.
All public keys are saved in ~/CommonsCloud/ansible/sensitive/keys/ as <username> So, if your username on the server is 'alice', save the file as so.

cp ~/.ssh/ ~/CommonsCloud/ansible/sensitive/keys/

Other people who will also access the server with sudo permission need their keys saved the same way too.

Vault password

We encrypt a file that contains service passwords and other data using a password.
Make a password and save it.

openssl rand -hex 32 > ~/CommonsCloud/ansible/sensitive/vault_password.txt

Create an encrypted file with some parameters we'll need later. Change the data to fit.

ansible-vault create ~/CommonsCloud/ansible/sensitive/secret_vars.yml

secret_vars.yml content

postfix_sasl_password: a_secret
backup_server: FQDN of your backup server
ldap_base_dn: dc=commonscloud,dc=coop
ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop
ldap_replicator_password: xxxxxxxxxxx
backup_server_port: 22
Últim autor