Ansible configuration for the Netz39 infrastructure
Alexander Dahl
41ab4622b3
Fixes the following ansible-lint warnings:
jinja[spacing]: Jinja2 spacing could be improved: group:Admins:{{ users | map(attribute = 'logname') | join("@pam,") }}@pam:: -> group:Admins:{{ users | map(attribute='logname') | join("@pam,") }}@pam:: (warning)
host-beaker.yml:23 Jinja2 template rewrite recommendation: `group:Admins:{{ users | map(attribute='logname') | join("@pam,") }}@pam::`.
jinja[spacing]: Jinja2 spacing could be improved: {{ docker_ip_ranges }} -> {{ docker_ip_ranges }} (warning)
host-krypton.yml:95 Jinja2 template rewrite recommendation: `{{ docker_ip_ranges }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ item }} -> {{ item }} (warning)
host-krypton.yml:98 Jinja2 template rewrite recommendation: `{{ item }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ docker_ip_ranges }} -> {{ docker_ip_ranges }} (warning)
host-krypton.yml:105 Jinja2 template rewrite recommendation: `{{ docker_ip_ranges }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ item }} -> {{ item }} (warning)
host-krypton.yml:108 Jinja2 template rewrite recommendation: `{{ item }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ cleanuri_amqp_user }} -> {{ cleanuri_amqp_user }} (warning)
roles/cleanuri/tasks/main.yml:36 Jinja2 template rewrite recommendation: `{{ cleanuri_amqp_user }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ cleanuri_amqp_user }} -> {{ cleanuri_amqp_user }} (warning)
roles/cleanuri/tasks/main.yml:53 Jinja2 template rewrite recommendation: `{{ cleanuri_amqp_user }}`.
jinja[spacing]: Jinja2 spacing could be improved: {{ cleanuri_amqp_user }} -> {{ cleanuri_amqp_user }} (warning)
roles/cleanuri/tasks/main.yml:70 Jinja2 template rewrite recommendation: `{{ cleanuri_amqp_user }}`.
|
||
|---|---|---|
| files | ||
| group_vars | ||
| host_vars | ||
| roles | ||
| templates | ||
| .editorconfig | ||
| .gitignore | ||
| .mailmap | ||
| .yamllint | ||
| ansible.cfg | ||
| configure-grafana.yml | ||
| group-all.yml | ||
| group-docker_host.yml | ||
| group-k3s.yml | ||
| group-proxmox.yml | ||
| host-beaker.yml | ||
| host-hobbes.yml | ||
| host-holmium.yml | ||
| host-krypton.yml | ||
| host-oganesson.yml | ||
| host-platon.yml | ||
| host-plumbum.yml | ||
| host-pottwal.yml | ||
| host-radon.yml | ||
| host-tau.yml | ||
| host-unicorn.yml | ||
| host-wittgenstein.yml | ||
| inventory.yml | ||
| main.yml | ||
| README.md | ||
| renovate.json | ||
| requirements.yml | ||
| setup-ssh.yml | ||
Ansible configuration for the Netz39 infrastructure
This call lists all hosts defined in the inventory:
ansible all --list-hosts
Setup
ansible-galaxy install -r requirements.yml
Setup SSH Access to hosts
LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"
This playbook also adds rhodium.n39.eu (OpenWRT router), but our Ansible cannot set up SSH keys (yet).
Please add your key to OpenWRT manually.
Edit vault encrypted vars files
ansible-vault edit group_vars/all/vault
Call with
ansible-playbook --ask-vault-pass main.yml
You need to provide a user with sudo rights and the vault password.
Verify Changes
ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff
HTTPS ingress configuration
HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.
To set up a new HTTPS vhost, the following steps need to be taken:
- Select a domain (for internal services we use sub-domains of
.n39.eu). - Create an external CNAME from this domain to
dyndns.n39.eu. - Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
- Add the entry to the holmium playbook.
- Set up Dehydrated and vhost on the target host, e.g. using
setup_http_site_proxy.
Do not forget to execute all playbooks with relevant changes.