NOT COMPLETELY READY YET
This does not install Semaphore yet (mainly because there is no native Debian package yet)
However, Ansible already is usable.
And Semaphore will follow (as a
git
checkout) as soon as I got it verified at my side.
Bootstrap of a server or VM to provide Ansible and Semaphore from scratch.
In Disaster Recovery things must start somewhere.
- First, you must get on hold of the needed information
- This is beyond the scope of this document
- Second, you need to reimplement your physical and logical infrastructure
- This is beyond the scope of this document
- This is, you buy bare metal and put it into work
- However in the scope of this document, we use a cloud provider, something which is just there.
- Third, you need to create the network and interconnectivity
- This is beyond the scope of this document
- Without functionality
- But every host has some basic OS installed and got it's IP and network connections
- However in the scope of this document, we use a cloud provider, so the VMs are up and running
- Fourth, you need to setup everything
- This repository here is the first part on this task
- The next part would be to adapt all the configuration to your new infrastructure
- And then you will - automatically - setup all your infrastructure back into the state before the disaster
- And if you have done everything correctly before the disaster struck, your Infrastructure is back up running.
- Fifth, you need to restore all databases, file contents and so on
- This is beyond the scope of this document
- Sixth, you grant all the (new) access rights to the people who are now involved
- This is beyond the scope of this document
Then you are back in operation.
The first thing in the fifth step is to get your deployment system up and running. This is exactly what this here does:
- Before you have a minimal installed up and running VM
- Afterwards you have this VM set up such, that Ansible is able to bring back functionality to your infrastructure.
It may not seem to be a big deal. Installing Ansible yourself is easy. Right.
But there is a bit of a difference if this is manually done or automated.
With automation, you can test the procedure if it really works and there is no lack of documentation. Something which, perhaps, is puzzling, because this step involves some knowledge, which is no more there after disaster struck.
So you need some bootstrapping of your confuguration management.
And this is exactly, what this repository does. It bootstraps Ansible.
Not from scratch, but from your OS vendor: Debian
- Local is the local machine you work on
- It is already running a recent Debian or Ubuntu (20.04 LTS is sufficient)
- You have
root
access on Local - You can install new packages on Local
- Destination is the machine, Ansible and Semaphore shall be set up
- It is a bare bone minimal Debian install
- with the usual non-root user
- You can login into Destinatian as the non-root user with
ssh ansible
and the user's password ssh root@ansible
does not work (yet)- You know the
root
password
On Local install ansible
- probably with
sudo apt install ansible make
- Perhaps this needs some more packages, I do not know, sorry.
- It does not need to be the newest version
- It is only used to bootstrap
.ssh/config.d/ansible.conf
might look as follows:
Host ansible
Hostname 192.168.0.1
User ansible
which assumes, that you have follwing in .ssh/config
:
include ~/.ssh/config.d/*.conf
This is absolutely straight forward plain
ssh
basics.You should know this in advance. If not, better get a bit more experienced. As the real challenge is how to master Ansible, not how to use
ssh
properly!
git clone https://github.com/hilbix/ansible-install.git
cd ansible-install
make
This will prompt for following details if needed:
- The non-root user's password
- The root password
This is idempotent, so does no harm if you run it again.
After the machine is setup, this step will not prompt for anything!
This task is not ready yet!
Open a browser to your Ansible host with http
protocol.
If you want to setup https
do it as follows:
- Use LetsEncrypt to deploy an
ssl
certificate to the machine- How to LetsEncrypt see https://github.com/hilbix/dehydrated/wiki
- The setup already prepared the user
letsencrypt
- Home is
/etc/letsencrypt/
but withoutssh
-credentials yet
- Home is
FYI: Here is how I get a Cert for internal domains.
- One way would be to use DNS-01, but I currently do not support that at my side
- The other way is to provide some external dummy-service for the domain name and use another name resolution on the Intranet. This is the way I go.
- I really do not recommend to put the hosts like Ansible onto the public Internet.
- Such hosts must be defended at all costs, so no incoming connectivity, please!
To setup ssh
-credentials on /etc/letsencrypt
provide a file
letsencrypt.pub
in the current directory and type:
make
If you are happy with the letsencrypt setup type
make https
This switches off http
mode.
What is missing?
Well, your configuration, of course. This must come from your Disaster Documentation.
Usually (or best) in form of git
repositories. Because git
does not leave open questions.
No nano
?
- Sorry, my fingers do not speak
nano
. They only speakvim
andemacs
. - To allow all to fallback to
vim
needs a purge ofnano
- I really have no idea how to make
vim
the default without purgingnano
.
- I really have no idea how to make
License?
- Free as free beer, free speech or free Baby.