We configure our servers using Ansible. The fist step is to install Ansible on your personal computer
Now you have Ansible installed, we're going to configure a couple of PATHs.
Create a directory where you will work from
mkdir ~/CommonsCloud/ansible mkdir ~/CommonsCloud/ansible/sensitive
[defaults] inventory = ~/CommonsCloud/ansible/hosts vault_password_file = ~/CommonsCloud/ansible/sensitive/vault_password.txt
This is the file where all the servers are declared and their corresponding parameters
Here is an example
--- # This is the default ansible 'hosts' file. # # https://github.com/ansible/ansible/blob/devel/examples/hosts.yaml # # - Comments begin with the '#' character # - Blank lines are ignored # - Top level entries are assumed to be groups, start with 'all' to have a full hierarchy # - Hosts must be specified in a group's hosts: # and they must be a key (: terminated) # - groups can have children, hosts and vars keys # - Anything defined under a host is assumed to be a var # - You can enter hostnames or IP addresses # - A hostname/IP can be a member of multiple groups all: vars: ansible_user: <your_ssh_username> ansible_port: <ssh port (22 defaults)> hosts: cc-03.commonscloud.coop: ansilbe_host: <public_ip> children: Commonscloud: vars: ldap_provider: ldaps://<ldap FQDN>:636/ ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop hosts: # core cc-00.commonscloud.coop: ansible_host: <public_ip> cc-01.commonscloud.coop: ansible_host: <public_ip> # test cc-10.commonscloud.coop: ansible_host: <public_ip> # production cc-20.commonscloud.coop: ansible_host: <public_ip> cc-21.commonscloud.coop: ansible_host: <public_ip> cc-23.commonscloud.coop: ansible_host: <public_ip> backup_dirs: - /var/www/ - /var/backups/mysql Nextcloud: vars: ldap_basegroups: ou=collectives,o=femprocomuns,dc=commonscloud,dc=coop hosts: # the config of the nextcloud server to be found at FQDN nextcloud1.commonscloud.coop nextcloud1.commonscloud.coop: ansible_host: <public_ip> ldap_service: cn=nextcloud1,ou=serveis,o=femprocomuns,dc=commonscloud,dc=coop nextcloud_theme_name: "CommonsCloud" nextcloud_theme_color: E63900
We save sensitive data like passwords, passphrases, ssh (public) keys, usernames, etc, in this directory organized into some subdirectories.
mkdir ~/CommonsCloud/ansible/sensitive/borg_passphrase mkdir -p ~/CommonsCloud/ansible/sensitive/keys/servers/
When we create a new user on a server, we upload the users id_rsa.pub to the new user's authorized_keys file.
All public keys are saved in ~/CommonsCloud/ansible/sensitive/keys/ as <username>.id_rsa.pub So, if your username on the server is 'alice', save the file as so.
cp ~/.ssh/id_rsa.pub ~/CommonsCloud/ansible/sensitive/keys/alice.id_rsa.pub
Other people who will also access the server with sudo permission need their keys saved the same way too.
We encrypt a file that contains service passwords and other data using a password.
Make a password and save it.
openssl rand -hex 32 > ~/CommonsCloud/ansible/sensitive/vault_password.txt
Create an encrypted file with some parameters we'll need later. Change the data to fit.
ansible-vault create ~/CommonsCloud/ansible/sensitive/secret_vars.yml
--- postfix_sasl_password: a_secret backup_server: FQDN of your backup server ldap_base_dn: dc=commonscloud,dc=coop ldap_replicator_dn: cn=replicator,dc=commonscloud,dc=coop ldap_replicator_password: xxxxxxxxxxx backup_server_port: 22