# Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

```bash
ansible -i inventory.yml all --list-hosts
```

## Setup

```bash
ansible-galaxy install -r requirements.yml
```

## Setup SSH Access to hosts

```bash
LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"
```

## Edit vault encrypted vars files

```bash
ansible-vault edit group_vars/all/vault
```

## Call with

```bash
ansible-playbook -i inventory.yml --ask-vault-pass main.yml
```

You need to provide a user with sudo rights and the vault password.

## HTTPS ingress configuration

HTTPS ingress is controlled by the server [holmium](https://wiki.netz39.de/admin:servers:holmium) and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

1. Select a domain (for internal services we use sub-domains of `.n39.eu`).
2. Create an external CNAME from this domain to `dyndns.n39.eu`.
3. Create an internal DNS entry in the [Descartes DNS config](https://gitea.n39.eu/Netz39_Admin/config.descartes/src/branch/prepare/dns_dhcp.txt). This is usually an alias on an existing server.
4. Add the entry to the [holmium playbook](holmium.yml).
5. Set up Dehydrated and vhost on the target host, e.g. using `setup_http_site_proxy`.

Do not forget to execute all playbooks with relevant changes.