Stefan Haun
029838344c
Reviewed-on: https://gitea.n39.eu/Netz39_Admin/netz39-infra-ansible/pulls/112
56 lines
1.5 KiB
Markdown
56 lines
1.5 KiB
Markdown
# Ansible configuration for the Netz39 infrastructure
|
|
|
|
This call lists all hosts defined in the inventory:
|
|
|
|
```bash
|
|
ansible all --list-hosts
|
|
```
|
|
|
|
## Setup
|
|
|
|
```bash
|
|
ansible-galaxy install -r requirements.yml
|
|
```
|
|
|
|
## Setup SSH Access to hosts
|
|
|
|
```bash
|
|
LOGUSER=<loguser>
|
|
SSH_KEY=<absolute/path/to/ssh/private/key>
|
|
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"
|
|
```
|
|
|
|
## Edit vault encrypted vars files
|
|
|
|
```bash
|
|
ansible-vault edit group_vars/all/vault
|
|
```
|
|
|
|
## Call with
|
|
|
|
```bash
|
|
ansible-playbook --ask-vault-pass main.yml
|
|
```
|
|
|
|
You need to provide a user with sudo rights and the vault password.
|
|
|
|
## Verify Changes
|
|
|
|
```bash
|
|
ansible-lint main.yml
|
|
ansible-playbook --ask-vault-pass main.yml --check --diff
|
|
```
|
|
|
|
## HTTPS ingress configuration
|
|
|
|
HTTPS ingress is controlled by the server [holmium](https://wiki.netz39.de/admin:servers:holmium) and forwarded to the configured servers.
|
|
|
|
To set up a new HTTPS vhost, the following steps need to be taken:
|
|
|
|
1. Select a domain (for internal services we use sub-domains of `.n39.eu`).
|
|
2. Create an external CNAME from this domain to `dyndns.n39.eu`.
|
|
3. Create an internal DNS entry in the [Descartes DNS config](https://gitea.n39.eu/Netz39_Admin/config.descartes/src/branch/prepare/dns_dhcp.txt). This is usually an alias on an existing server.
|
|
4. Add the entry to the [holmium playbook](holmium.yml).
|
|
5. Set up Dehydrated and vhost on the target host, e.g. using `setup_http_site_proxy`.
|
|
|
|
Do not forget to execute all playbooks with relevant changes.
|