86 lines
1.9 KiB
Markdown
86 lines
1.9 KiB
Markdown
|
# hatecomputers.club infra
|
||
|
|
||
|
A collection of playbooks to deploy the hatecomputers.club infra
|
||
|
|
||
|
## Prerequisites
|
||
|
|
||
|
- `ansible`
|
||
|
- `yamllint`
|
||
|
- `ansible-lint`
|
||
|
- an ssh key accepted on the root of each host in the `inventory`
|
||
|
|
||
|
## Setup
|
||
|
|
||
|
### Vault
|
||
|
|
||
|
Secrets are managed via `ansible-vault`. Initialize or update your vault
|
||
|
with new secrets via our custom `./ansible-vault-init.sh` script.
|
||
|
|
||
|
Additionally if you want to only update a single secret, use
|
||
|
`./ansible-vault-init.sh <secret_name>`.
|
||
|
|
||
|
If you don't want to be prompted to enter your password every time you
|
||
|
deploy something, put your password as plain text into `secrets.pwd` as
|
||
|
a single line in the root src directory:
|
||
|
|
||
|
```bash
|
||
|
echo "<your_password>" > secrets.pwd
|
||
|
```
|
||
|
|
||
|
Then you can add `--vault-password-file secrets.pwd` each time you run a
|
||
|
deployment (or you know, use `pass` or something if you're paranoid).
|
||
|
|
||
|
### Pre-commit hooks
|
||
|
|
||
|
1. clone the repo
|
||
|
|
||
|
```bash
|
||
|
git clone git@git.hatecomputers.club:hatecomputers.club/infra
|
||
|
cd infra
|
||
|
```
|
||
|
|
||
|
2. add a pre-commit hook
|
||
|
|
||
|
```bash
|
||
|
cd .git/hooks
|
||
|
touch pre-commit
|
||
|
```
|
||
|
|
||
|
3. insert into `pre-commit` the following contents:
|
||
|
|
||
|
```bash
|
||
|
#!/bin/sh
|
||
|
|
||
|
set -e
|
||
|
|
||
|
# lint yaml files
|
||
|
echo "running yamllint..."
|
||
|
yamllint --strict .
|
||
|
|
||
|
# follow ansible best-practices
|
||
|
echo "running ansible-lint"
|
||
|
ansible-lint
|
||
|
```
|
||
|
|
||
|
4. make it executable
|
||
|
```bash
|
||
|
chmod +x pre-commit
|
||
|
```
|
||
|
|
||
|
## Running
|
||
|
|
||
|
`ansible-playbook -e @secrets.enc deploy.yml` will run each respectively added playbook in `deploy.yml`
|
||
|
using the vault intialized in the previous steps.
|
||
|
|
||
|
Though in development, one should be testing individual playbooks, and `deploy.yml`
|
||
|
should be left for an idea of general order of things, or for a
|
||
|
full deployment after testing.
|
||
|
|
||
|
NOTE: It is highly advised to run `ansible-playbook` in an `ssh-agent` session to avoid retyping your password over and over. Something along the lines of:
|
||
|
|
||
|
```bash
|
||
|
ssh-agent $(echo $SHELL)
|
||
|
ssh-add ~/.ssh/<private-key>
|
||
|
```
|
||
|
|