Ansible configuration for the Netz39 infrastructure
| files | ||
| group_vars | ||
| host_vars | ||
| roles | ||
| templates | ||
| .editorconfig | ||
| .gitignore | ||
| .mailmap | ||
| .yamllint | ||
| ansible.cfg | ||
| configure-grafana.yml | ||
| group-all.yml | ||
| group-docker_host.yml | ||
| group-proxmox.yml | ||
| host-beaker.yml | ||
| host-hobbes.yml | ||
| host-holmium.yml | ||
| host-krypton.yml | ||
| host-oganesson.yml | ||
| host-platon.yml | ||
| host-pottwal.yml | ||
| host-radon.yml | ||
| host-tau.yml | ||
| host-unicorn.yml | ||
| inventory.yml | ||
| main.yml | ||
| README.md | ||
| renovate.json | ||
| requirements.yml | ||
| setup-ssh.yml | ||
Ansible configuration for the Netz39 infrastructure
This call lists all hosts defined in the inventory:
ansible all --list-hosts
Setup
ansible-galaxy install -r requirements.yml
Setup SSH Access to hosts
LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"
Edit vault encrypted vars files
ansible-vault edit group_vars/all/vault
Call with
ansible-playbook --ask-vault-pass main.yml
You need to provide a user with sudo rights and the vault password.
Verify Changes
ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff
HTTPS ingress configuration
HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.
To set up a new HTTPS vhost, the following steps need to be taken:
- Select a domain (for internal services we use sub-domains of
.n39.eu). - Create an external CNAME from this domain to
dyndns.n39.eu. - Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
- Add the entry to the holmium playbook.
- Set up Dehydrated and vhost on the target host, e.g. using
setup_http_site_proxy.
Do not forget to execute all playbooks with relevant changes.