Skip to content
Snippets Groups Projects
Commit 96df5dcf authored by Paul S's avatar Paul S
Browse files

Transform into dockerhub compatible image

parent aabfa4f1
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
build/Dockerfile Dockerfile
+ 0
0
View file @ 96df5dcf
File moved
README.md
+ 25
109
View file @ 96df5dcf
# Provision
# Ansible-Keepass
This repository holds a sharable and "all configuration described in code"
**provision and deployment system** around [Ansible](https://www.ansible.com/).
It relies on a simple and encrypted [KeePass](https://keepass.info) storage file
to manage the passwords of deployed machines.
This repository holds a "all configuration described in code" **provision and
deployment system** around [Ansible](https://www.ansible.com/). Additionally it
relies on a simple and encrypted [KeePass](https://keepass.info) storage file to
manage the passwords of deployed machines.
## Requirements
However, in order to use this setup, none of the mentioned programs are a
requirement, as it runs inside a [Docker](https://www.docker.com/) container and
well defined through [Docker Compose](https://docs.docker.com/compose/). Just
make sure you have those two installed.
[Docker](https://www.docker.com/) and [Docker
Compose](https://docs.docker.com/compose/) will have to be already installed on
the host system.
## Configuration
Before you start, all essential things for Ansible need to be placed into the
`data` directory. Please add:
* `data`/`ansible.hosts` - A typical [Ansible
- `data`/`ansible.hosts` - A typical [Ansible
inventory](https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html)
listing your machines, their IP addresses and SSH ports.
* `data`/`group_vars` - Directory containing [Group specific
- `data`/`group_vars` - Directory containing [Group specific
variables](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable)
for the deployment.
* `data`/`host_vars` - Directory containing [Host specific
- `data`/`host_vars` - Directory containing [Host specific
variables](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable)
for the deployment.
* `data`/`playbooks` - One or more [Ansible
- `data`/`playbooks` - One or more [Ansible
playbooks](https://docs.ansible.com/ansible/latest/user_guide/playbooks_intro.html)
to be available.
* `data`/`roles` - The [Ansible
- `data`/`roles` - The [Ansible
roles](https://docs.ansible.com/ansible/devel/user_guide/playbooks_reuse_roles.html),
which are available (if managing with git, they can be perfectly included as
_[submodules](https://git-scm.com/book/en/v2/Git-Tools-Submodules)_).
* `data`/`ssh`/`id_rsa` - The private key of a ssh key pair to connect to
- `data`/`ssh`/`id_rsa` - The private key of a ssh key pair to connect to
machines.
* `data`/`ssh`/`id_rsa.pub` - The public key of a ssh key pair to connect to
- `data`/`ssh`/`id_rsa.pub` - The public key of a ssh key pair to connect to
machines.
* `data`/`passwords.kdbx` - A [KeePass](https://keepass.info) database file,
- `data`/`passwords.kdbx` - A [KeePass](https://keepass.info) database file,
holding the passwords of the users on the deployed machines.
> You can also have a look at the [example data
> repository](https://github.com/OneOffTech/provision-data-example) to get a
> better idea.
You may want to put and manage all this private (!) data in a git repository,
with obviously very restricted access to it (as it contains important keys). A
git repository can be included nicely - as a
_[submodule](https://git-scm.com/book/en/v2/Git-Tools-Submodules)_:
* `git submodule add https://github.com/OneOffTech/provision-data-example data`
> _Note:_ You may check the
> [`example-data`](https://github.com/OneOffTech/provision/tree/example-data)
> branch of this repository in order to see how the different repositories can
> be all included as git _submodules_: starting from the provision linking to
> the (private) data repository, and the roles inside this, again coming from
> different (probably public) sources.
## Server deployment
Deployment happens through a docker container which runs ansible.
* Apply everything to all: `docker-compose run --rm ansible_commander -i
ansible.hosts playbooks/install.yml`
* Apply everything to one server: `docker-compose run --rm ansible_commander -i
ansible.hosts -l YOURSERVER playbooks/install.yml`
## Local deployment
For local deployment, the setup can not be deployed from a Docker container.
Instead, Ansible must be installed:
```bash
ansible-playbook -i "localhost," -c 127.0.0.1 data/playbooks/install.yml
```
## Local Installation
### Prerequesites
* Install [Debian](https://www.debian.org/CD/netinst/).
* If encryption is needed, create a LUKS encrypted LVM partition and
mount it on `/data`.
* Only install `Standard system utilities` and `SSH server` tasks.
* Allow root (administrator) logins (use keypairs or a strong password).
* Don't create an normal user account, this will be done by the playbooks.
* Register a domain name and point it to your server's public IP address.
* If your server is behind a NAT gateway, setup port forwards on your
router. How to do so depends on your router model, please consult the
manufacturers documentation.
At least the following ports will need to be forwarded (may be changed in
configuration):
```
OpenSSH server: TCP 54646
Web services: TCP 80 + TCP 443
OpenVPN server: TCP 1194 + UDP 1194
```
### On administrating machine
To manage hosts with [ansible](http://ansible.com/) you need to install
`ansible` on your machine:
```debian
sudo apt install python-pip
sudo pip install ansible pykeepass passlib
```
- Apply everything to all: `docker-compose run --rm ansible_commander -i ansible.hosts playbooks/install.yml`
- Apply everything to one server: `docker-compose run --rm ansible_commander -i ansible.hosts -l YOURSERVER playbooks/install.yml`
### Only run certain roles
To save time, you can tell ansible to only run certain playbooks by
supplying the `--tags` flag, which can use multiple parameters. A
simple example would be `--tags="kbox,vpn"`. To see a list of defined tags,
you can check the site.yml.
To save time, you can tell ansible to only run certain playbooks by supplying
the `--tags` flag, which can use multiple parameters. A simple example would be
`--tags="kbox,vpn"`. To see a list of defined tags, you can check the site.yml.
### Check for changed configuration
To see the differences between the server and the configured playbooks, add
the `--check` flag. To highlight the current state and proposed changes,
To see the differences between the server and the configured playbooks, add the
`--check` flag. To highlight the current state and proposed changes,
additionally use the `--diff` flag.
For configuration of the individual roles, please check out the respective
`README.md` files in the `roles/` directory.
## Notes
### Default locations
Per default settings, all data will belong to "user", which has root
privilege via `sudo`, as well as permissions to use `docker`.
The docker-compose files will be located in `/home/user/deploy`, and the
persistent data will be located in `/data`, which is optionally an encrypted
partition that does not get mounted automatically on reboot.
### Encrypted Data partitions
If `/data` is located on an encrypted partition, the administrator will need
to log into the server after each reboot and mount the volume manually by
running:
```debian
cryptsetup luksOpen /dev/vg01/data-crypt data-decrypt
# [enter password]
mount /dev/mapper/data-decrypt /data/
```
build/files/.keepass_file_path files/.keepass_file_path
+ 0
0
View file @ 96df5dcf
File moved
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment