Install and configure Ansible
We configure our servers using Ansible. The fist step is to install Ansible on your personal computer
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
Now you have Ansible installed, we're going to configure a couple of PATHs.
Create a directory where you will work from
mkdir ~/CommonsCloud/ansible mkdir ~/CommonsCloud/ansible/sensitive
Edit ~./ansible.cfg
[defaults] inventory = ~/CommonsCloud/ansible/hosts vault_password_file = ~/CommonsCloud/ansible/sensitive/vault_password.txt
Hosts file ~/CommonsCloud/ansible/hosts
This is the file where all the servers are declared and their corresponding parameters
Here is an example
---
# This is the default ansible 'hosts' file.
#
# https://github.com/ansible/ansible/blob/devel/examples/hosts.yaml
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Top level entries are assumed to be groups, start with 'all' to have a full hierarchy
# - Hosts must be specified in a group's hosts:
# and they must be a key (: terminated)
# - groups can have children, hosts and vars keys
# - Anything defined under a host is assumed to be a var
# - You can enter hostnames or IP addresses
# - A hostname/IP can be a member of multiple groups
all:
vars:
ansible_user: <your_ssh_username>
ansible_port: <ssh port (22 defaults)>
hosts:
cc-03.commonscloud.coop:
ansilbe_host: <public_ip>
children:
Commonscloud:
vars:
ldap_provider: ldaps://<ldap FQDN>:636/
ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop
hosts:
# core
cc-00.commonscloud.coop:
ansible_host: <public_ip>
cc-01.commonscloud.coop:
ansible_host: <public_ip>
# test
cc-10.commonscloud.coop:
ansible_host: <public_ip>
# production
cc-20.commonscloud.coop:
ansible_host: <public_ip>
cc-21.commonscloud.coop:
ansible_host: <public_ip>
cc-23.commonscloud.coop:
ansible_host: <public_ip>
backup_dirs:
- /var/www/
- /var/backups/mysql
Nextcloud:
vars:
ldap_basegroups: ou=collectives,o=femprocomuns,dc=commonscloud,dc=coop
hosts:
# the config of the nextcloud server to be found at FQDN nextcloud1.commonscloud.coop
nextcloud1.commonscloud.coop:
ansible_host: <public_ip>
ldap_service: cn=nextcloud1,ou=serveis,o=femprocomuns,dc=commonscloud,dc=coop
nextcloud_theme_name: "CommonsCloud"
nextcloud_theme_color: E63900~/CommonsCloud/ansible/sensitive
We save sensitive data like passwords, passphrases, ssh (public) keys, usernames, etc, in this directory organized into some subdirectories.
mkdir ~/CommonsCloud/ansible/sensitive/borg_passphrase mkdir -p ~/CommonsCloud/ansible/sensitive/keys/servers/
id_rsa.pub
When we create a new user on a server, we upload the id_rsa.pub to the new user's authorized_keys file.
All public keys are saved in ~/CommonsCloud/ansible/sensitive/keys/ as <username>.id_rsa.pub So, if your username on the server is 'alice', save the file as so.
cp ~/.ssh/id_rsa.pub ~/CommonsCloud/ansible/sensitive/keys/alice.id_rsa.pub
Other people who will also access the server with sudo permission need their keys saved the same way too.
Vault password
We encrypt a file that contains service passwords and other data using a password.
Make a password and save it.
openssl rand -hex 32 > ~/CommonsCloud/ansible/sensitive/vault_password.txt
Create an encrypted file with some parameters we'll need later. Change the data to fit.
ansible-vault create ~/CommonsCloud/ansible/sensitive/secret_vars.yml
secret_vars.yml content
--- postfix_sasl_password: a_secret backup_server: FQDN of your backup server ldap_replicator_password: xxxxxxxxxxx backup_server_port: 22
- Últim autor
- chris
- Last Edited
- Oct 22 2018, 22:52