Work-in-progress Ansible setup for Seattle Flu Study infrastructure. Our intent is to describe our infrastructure setup with Ansible (and/or other tools) over time, piece by piece.

Requirements for using this repository:

• A local copy of the repository, e.g. checked out with git

• Ansible 2.9+, installed with your preferred installation method

• Dependencies from Ansible Galaxy installed locally, using ansible-galaxy install -r requirements.yaml

• For production deployments: credentials for our infrastructure, e.g. an authorized SSH keypair for backoffice.seattleflu.org

• For local development: a Multipass instance named backoffice (see below)

The layout of this repository is:

ansible.cfg     — Global Ansible configuration options.

*.yaml          — Playbooks (e.g. backoffice.yaml)

hosts/          — Inventories of hosts
  development   —   …in development
  production    —   …in production

tasks/          — Conceptual groupings of tasks for use by playbooks
  …

files/          — Static configuration files used by playbooks/tasks
  …

Each playbook is intended to (eventually) capture the whole setup of a host or group of hosts. If the playbook for a host becomes unwieldy, we can refactor it into multiple files grouped by functionality.

Future additions should generally follow the example setup in Ansible's documentation.

To run a playbook in development:

ansible-playbook a-playbook.yaml

To run a playbook in production, change the inventory used:

ansible-playbook a-playbook.yaml -i hosts/production

Each playbook is intended to (eventually) capture the whole setup of a host or group of hosts. To share tasks between playbooks, write a role.

Declarative configuration and idempotency are a key feature of Ansible (and other similar tools). When naming plays and tasks, keep this in mind by using statements that declare the desired state ("service X is started") instead of actions ("start service X").

Secrets such as passwords and API tokens are encrypted using Ansible Vault and stored in this repo. Ansible Vault uses strong symmetric encryption with a single decryption password shared by all secrets stored in a logical "vault". Ansible automatically decrypts the secrets as necessary when they're referenced by playbooks but must be told how to obtain the vault password (e.g. by asking you, by reading a file, or by running another program). This vault password is stored outside of Ansible, such as in your password manager of choice.

We currently use a single seattleflu vault, which should be used for all secrets except in the very rare case of when the whole team should not have access to a secret. Use the --vault-id seattleflu@prompt option when running ansible, ansible-playbook, or ansible-vault to both specify the seattleflu vault and be asked for the vault password.

Please use encrypted files in preference to encrypted variables, as files are easier to re-encrypt later with a new password (e.g. when someone departs the team).

To encrypt a file:

ansible-vault encrypt --vault-id seattleflu@prompt path/to/file

To check an encrypted file's contents:

ansible-vault view --vault-id seattleflu@prompt path/to/file

Multipass is a really nice CLI and GUI tool to spin up Ubuntu VMs on your computer no matter your host OS. The idea is that for local development and testing, this Ansible setup can target a local VM that closely matches production. For now "closely matches" means only the same Ubuntu version, but this will naturally become higher fidelity as we describe more of our infrastructure using Ansible!

Create a backoffice instance:

multipass launch --name backoffice 18.04    # Ubuntu 18.04 LTS

Add your SSH public keys so that Ansible can login via SSH:

ssh-add -L | multipass exec backoffice -- tee -a /home/ubuntu/.ssh/authorized_keys

Now test that Ansible can login by issuing an ad-hoc ping:

ansible backoffice --user ubuntu --module-name ping

This specifies the backoffice host group, which will be found in the default inventory (hosts/development). You should see green text saying something like:

backoffice.multipass | SUCCESS => {
    "ping": "pong",

}

If Ansible cannot login and you recieve a message like:

backoffice.multipass | UNREACHABLE! => {
    "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname backoffice.multipass: nodename nor servname provided, or not known",
    …
}

Then you should try running

multipass info backoffice

and use the IPv4 address printed out in lieu of the hostname provided in hosts/development

For other troubleshooting, you can get a shell on your new instance at any point with:

multipass shell backoffice

If you want to start from a clean slate, delete the backoffice instance and SSH's remembered host key (to avoid errors about the new instance's different host key):

multipass delete --purge backoffice
ssh-keygen -R backoffice.multipass

Then re-create the instance as above.