teuserer/netz39-infra-ansible
1
0
Fork 0
forked from Netz39_Admin/netz39-infra-ansible
Code Pull requests Activity
Ansible configuration for the Netz39 infrastructure
1335 commits 5 branches 0 tags 4.1 MiB
Find a file
Alexander Dahl 338dfc7410 🔊 Redirect curl output to debug log 
curl only logs its own errors to stderr with the given options (--silent
--show-error).  Requests answered by the remote webserver, regardless of
HTTP status code, go to stdout.  So in case of an unsuccesful update
with some error condition we could not see that before.  Redirect those
to debug log, because it's still quite noisy otherwise.

This adds 288 log messages per day and service to the debug log,
accounting to max. 30k per day and service, and thus should not hurt.

desec log output is only the word "good" in case of success.

dd24 full output would be this, and is thus reduced to the relevant
lines merged in one line:

    [RESPONSE]
    code = 200
    description = Command completed successfully
    runtime = 0.067
    queuetime = 0
    EOF

Sample journald entry:

    Feb 27 12:48:15 pottwal dd24[519651]: code = 200,description = Command completed successfully
2025-02-27 14:06:19 +01:00
files Add sudo configuration for Asterisk I2C access 2024-11-04 10:13:40 +01:00
group_vars 🔧 Enable automatic docker image prune again 2025-02-23 19:18:21 +01:00
host_vars Update renovate/renovate Docker tag to v39.180.2 2025-02-25 09:22:15 +00:00
roles 🔊 Redirect curl output to debug log 2025-02-27 14:06:19 +01:00
templates Add SSH entry for host Rhodium 2025-01-13 10:28:59 +01:00
.editorconfig Add EditorConfig configuration file 2022-01-08 13:25:36 +01:00
.gitignore git: add ansible vault pass to gitignore 2023-07-25 23:26:23 +02:00
.mailmap 📝 mailmap: Expand alias to real name 2022-12-31 10:43:16 +01:00
.yamllint 🔧 yamllint: Disable comment-indentation warnings 2025-02-20 08:23:17 +01:00
ansible.cfg feat: add nicer rendering to ansible config 2022-10-24 16:33:16 +00:00
configure-grafana.yml update requirements.yml to correctly install collection 2022-11-12 15:31:51 +01:00
group-all.yml 🚚 roles: timezone: Override with galaxy name 2024-12-28 12:00:40 +01:00
group-docker_host.yml 🚚 Migrate docker_host role to external project 2025-02-23 19:18:21 +01:00
group-k3s.yml 🚨 Add newline at eof 2025-02-19 21:49:57 +01:00
group-proxmox.yml 🚚 Rename group playbooks to group-* 2022-11-04 22:35:41 +01:00
host-beaker.yml 🚨 Fix trivial jinja spacing warnings 2025-02-20 06:43:59 +01:00
host-hobbes.yml Setup a Kiosk on hobbes to show Grafana screenshots 2024-01-06 17:48:53 +01:00
host-holmium.yml 🧱: change git url to git.n39.eu 2023-09-01 19:06:28 +02:00
host-krypton.yml 🚚 Migrate docker_host role to external project 2025-02-23 19:18:21 +01:00
host-oganesson.yml 🚚 Rename host playbooks to host-* 2022-11-04 22:34:37 +01:00
host-platon.yml 🚨 Modernize ansible-lint silence markup 2025-02-19 21:40:23 +01:00
host-plumbum.yml fix: add no_root_squash option to nfs exports 2024-01-13 12:22:25 +01:00
host-pottwal.yml 🚚 Migrate docker_host role to external project 2025-02-23 19:18:21 +01:00
host-radon.yml Update mrtux/grafana-screenshot Docker tag to v0.1.2 2025-02-27 12:27:29 +01:00
host-tau.yml 🚚 Migrate docker_host role to external project 2025-02-23 19:18:21 +01:00
host-unicorn.yml 🚚 Migrate docker_host role to external project 2025-02-23 19:18:21 +01:00
host-wittgenstein.yml 🔧 Enable automatic docker image prune again 2025-02-23 19:18:21 +01:00
inventory.yml Add note on host Rhodium to inventory 2025-01-13 10:28:59 +01:00
main.yml Add wittgenstein to main playbook 2024-11-02 23:01:13 +01:00
README.md Make a note about adding SSH keys to host Rhodium 2025-01-13 10:31:59 +01:00
renovate.json 🔧 renovate: Remove docker_compose match 2025-02-23 19:18:21 +01:00
requirements.yml Update dependency netz39.host_docker to v0.4.0 2025-02-27 09:18:09 +00:00
setup-ssh.yml 🚨 Fix new-line-at-end-of-file warnings 2022-11-18 08:50:33 +01:00

README.md

Ansible configuration for the Netz39 infrastructure

This call lists all hosts defined in the inventory:

ansible all --list-hosts

Setup

ansible-galaxy install -r requirements.yml

Setup SSH Access to hosts

LOGUSER=<loguser>
SSH_KEY=<absolute/path/to/ssh/private/key>
ansible-playbook setup-ssh.yml --ask-vault-pass -e "setup_ssh_logname=$LOGUSER" -e "setup_ssh_key=$SSH_KEY"

This playbook also adds rhodium.n39.eu (OpenWRT router), but our Ansible cannot set up SSH keys (yet). Please add your key to OpenWRT manually.

Edit vault encrypted vars files

ansible-vault edit group_vars/all/vault

Call with

ansible-playbook --ask-vault-pass main.yml

You need to provide a user with sudo rights and the vault password.

Verify Changes

ansible-lint main.yml
ansible-playbook --ask-vault-pass main.yml --check --diff

HTTPS ingress configuration

HTTPS ingress is controlled by the server holmium and forwarded to the configured servers.

To set up a new HTTPS vhost, the following steps need to be taken:

  1. Select a domain (for internal services we use sub-domains of .n39.eu).
  2. Create an external CNAME from this domain to dyndns.n39.eu.
  3. Create an internal DNS entry in the Descartes DNS config. This is usually an alias on an existing server.
  4. Add the entry to the holmium playbook.
  5. Set up Dehydrated and vhost on the target host, e.g. using setup_http_site_proxy.

Do not forget to execute all playbooks with relevant changes.