forked from Netz39_Admin/netz39-infra-ansible

Ansible configuration for the Netz39 infrastructure

Find a file

Stefan Haun 8855f7cc10 🚑 Pin Dokuwiki container to specific digest There seem to be compatibility issues with container updates within the same tag. These updates happen every time we run Ansible and are usually desired, as they can fix security issues (esp. in the base image). However, if the update cannot be trusted to run without manual intervention, we have to pin the version and check for updates manually.		2022-11-18 17:12:13 +01:00
files	Add the Asterisk sound files	2022-08-05 17:23:48 +02:00
group_vars/all	🔨 Rename ag_timezone → timezone	2022-11-07 16:35:41 +01:00
host_vars	🚨 Fix "missing document start" warnings	2022-11-18 09:02:35 +01:00
roles	✨ Add option to set ProxyPreserveHost	2022-11-12 13:32:25 +01:00
templates	✨ Setup grafana kiosk on hobbes.n39.eu	2022-11-13 17:13:34 +01:00
.editorconfig	Add EditorConfig configuration file	2022-01-08 13:25:36 +01:00
.mailmap	Introduce gitmailmap	2022-10-26 21:45:47 +02:00
.yamllint	🚨 yamllint: Ignore line-length warnings	2022-11-18 08:58:19 +01:00
ansible.cfg	feat: add nicer rendering to ansible config	2022-10-24 16:33:16 +00:00
configure-grafana.yml	update requirements.yml to correctly install collection	2022-11-12 15:31:51 +01:00
group-all.yml	🔧 Write unattended-upgrade actions to syslog	2022-11-16 21:28:39 +01:00
group-proxmox.yml	🚚 Rename group playbooks to group-*	2022-11-04 22:35:41 +01:00
host-beaker.yml	feat: ✨ add admins to proxmox user permissions file	2022-11-11 14:56:02 +01:00
host-hobbes.yml	✨ Setup grafana kiosk on hobbes.n39.eu	2022-11-13 17:13:34 +01:00
host-holmium.yml	add https ingress for grafana	2022-11-11 14:52:37 +01:00
host-krypton.yml	🚨 Fix "wrong indentation" warnings	2022-11-18 08:44:54 +01:00
host-oganesson.yml	🚚 Rename host playbooks to host-*	2022-11-04 22:34:37 +01:00
host-platon.yml	🚚 Rename host playbooks to host-*	2022-11-04 22:34:37 +01:00
host-pottwal.yml	🚨 Fix "trailing spaces" warnings	2022-11-18 08:50:54 +01:00
host-radon.yml	🔧 Add timezone information to docker containers	2022-11-10 13:05:18 +01:00
host-tau.yml	🚑 Pin Dokuwiki container to specific digest	2022-11-18 17:12:13 +01:00
host-unicorn.yml	🔧 Add timezone information to docker containers	2022-11-10 13:05:18 +01:00
inventory.yml	🔧 Add hobbes.n39.eu to inventory	2022-11-12 17:02:42 +01:00
main.yml	🔧 Link hobbes playbook in main.yml	2022-11-12 17:02:42 +01:00
README.md	Merge pull request 'docs: add command to verify changes' (!112 ) from add-verification-docs into master	2022-11-12 15:43:51 +01:00
requirements.yml	update requirements.yml to correctly install collection	2022-11-12 15:31:51 +01:00
setup-ssh.yml	🚨 Fix new-line-at-end-of-file warnings	2022-11-18 08:50:33 +01:00

README.md

Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

ansible all --list-hosts

Setup

ansible-galaxy install -r requirements.yml

Setup SSH Access to hosts

LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"

Edit vault encrypted vars files

ansible-vault edit group_vars/all/vault

Call with

ansible-playbook --ask-vault-pass main.yml

You need to provide a user with sudo rights and the vault password.

Verify Changes

ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff

HTTPS ingress configuration

HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

Select a domain (for internal services we use sub-domains of .n39.eu).
Create an external CNAME from this domain to dyndns.n39.eu.
Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
Add the entry to the holmium playbook.
Set up Dehydrated and vhost on the target host, e.g. using setup_http_site_proxy.

Do not forget to execute all playbooks with relevant changes.