Ansible configuration for the usgo web infrastructure.
The configuration here uses a series of roles which then are placed in various playbooks.
Naming conventions are fairly straight forward i.e., inventory_name_[description].yaml.
In the case of test_playbook.yaml there is one imported playbook that uses two roles,
web and mysql. These roles basically create a base apache web server and a mysql database
that match production.
Apache Virtual Hosts have two main templates: vhost.conf.j2 and vhost_ssl.conf.j2 which
provide a base for our vhost configuration. Host specific configurations for the web role are provided
with a [servername].extra.conf.j2 that has the same hostname which was defined in group_vars.
The production roles will differ slightly because of the necessary configurations associated with certbot and lets encrypt that enable HTTPs on our servers.
- python 3
- ansible
- ssh public key in the
~/.ssh/authorized_keys ~/.ansible.cfgconfigured to allow the local ssh agent to be forwarded i.e.,roles/requirements.txtinstalledansible-galaxy install -r roles/requirements.txt
[ssh_connection]
ssh_args = -o ForwardAgent=yes -C -o ControlMaster=auto -o ControlPersist=60s
Note: Host key checking can be disabled as well; however, consider the implications before doing so. For more details see: Connection Methods - Managing Host Key Checking
~/.ansible.cfgalso requires that python3 be enabled:
[defaults]
interpreter_python=python3
~/.ansible.cfg
[defaults]
interpreter_python=python3
[ssh_connection]
ssh_args = -o ForwardAgent=yes -C -o ControlMaster=auto -o ControlPersist=60s
- Create a folder for the inventory group within group_vars
- Add a vars.yaml to the inventory group folder within group_vars with:something like:
---
vhost:
- servername: test.example.com
serveradmin: [email protected]
documentroot: /var/www/test.example.com
- servername: example.com
serveradmin: [email protected]
documentroot: /var/www/example.com
- Create a extra file for the vhost for each hostname
Define example_com_root {{ item.documentroot }}
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/{{ item.servername }}-error.log
CustomLog ${APACHE_LOG_DIR}/{{ item.servername }}-access.log combined
<Directory ${example_com_root}>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride all
Require all granted
</Directory>
- (Optional) Pass in Extra Params to the Vhost
vhost:
- servername: test.example.com
serveradmin: [email protected]
documentroot: /var/www/test.example.com
extra_params: |
RewriteCond %{SERVER_NAME} =test.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
| Role | Tag(s) |
|---|---|
| usgo.agagd | usgo.agagd |
shell> ansible-playbook -u [username] -K -i [inventory] [playbook.yml]
shell> ansible-playbook -u [username] -K -i [inventory] [playbook.yaml] --limit='[host1,host2]'
shell> ansible [hosts_group] -i 'inventories/production' --vault-password-file=.prod_vault_pass -u [username] -K -b -m include_role -a name=usgo.devops_user
shell> ansible-playbook --ask-vault-pass -u [username] -K -i [inventory] [playbook.yaml]shell> ansible-playbook --vault-password-file=[vault_password_file] -K -i [inventory] [playbook.yaml]