Hello and welcome to the repo managing our infrastructure. Lets have a look at how it all works:
- Ansible is used to have reproducable environments and sets up the base system for Docker
- Docker & docker-compose is used to setup the applications and webservices
- GitLab CI is setup and ready to be used, it currently responds to two keywords:
- Changes can be automatically tested by supplying
dry-runtogether with the name of the playbook to run, egSomechange, dry-run full_run.yml - Deploying is also possible by supplying
deploytogether with the name of the playbook to run, egSomechange [deploy full_run.yml]
- Changes can be automatically tested by supplying
- We have different roles for all parts of the infrastructure
- Environment variables are contained in the
host_varsfolders, split regular and encrypted files in case of sensible data - Supplying the
ansible-vaultpassword is done inansible/.vault_pass- this file needs to exist in order to run playbooks - For a complete server setup, the
full-run.ymlplaybook should be used - Updating all systems & rebooting them can be done by running the
system-update.ymlandreboot.ymlplaybooks
- Sets up everything needed for on all servers, eg. Pacman configurations,
motdorsystemd-oomd
- Server hardening is done using the Devsec Hardening framework
- We use the
os_hardeningandssh_hardeningplaybooks, other services don't benefit from this as we run all the stuff inside of containers - Individual settings can be put into
host_varsin case of specific needs
- To add automatic backups to a server, add it
[borg-clients]in thehostsfile and specify theborg_dirvariable, eg.borg_dir="/var/cache/garuda-web" - The SSH key of the root user then needs to be added to the borg servers
authorized_keys - Do a test run in order to add the borg server to
known_hosts
- The Chaotic-AUR role is supposed to bootstrap a basic Chaotic-AUR build environment. It is maintained at the Chaotic-AUR GitHub org and added as submodule, therefore don't forget to initialize it!
- It also creates a GPG key if it doesn't exist and fetches it to
ansible/buffer - The content of
chaotic.confcan be defined inhost_vars, these also control whether a cluster node or primary node is being deployed - If the primary node is managed by Ansible (
caur_primary = true), SSH keys are automatically added to itsauthorized_keys - Make sure to add the required
host_vars, examples can be found inansible/roles/chaotic_aur/defaults/main.yml - If
caur_mirroris set totrue, a local Syncthing mirror and web server will be deployed as well
- In this role we specify our users and their permissions
- To add a user simply add it to the array of users - groups can also be passed here
- There are three types of users: regular, admins and Chaotic-AUR maintainers - the latter gets added when the host is added to the
[chaotic_aur]group
- Used to detect Letsencrypt instances based on the
letsencryptvariable - Can also update certificates if needed
- Needs
letsencrypt_domainandletsencrypt_dataspecified ashost_vars
- Contains various Systemd units needed on certain systems
- Can be controlled by specifying environment variables in
host_vars
- The uppercase directories in the main directory represent our individual servers
- The
docker-compose.yml.j2files (ansible/roles/docker_compose/templates) in conjunction with static configuration files can be altered and pushed to the servers using thegaruda.ymlplaybook - Environment variables are passed via
host_vars, replace them with {{ ansible_env_vars }} inside of thedocker-compose.yml.j2files - Put sensible environment variables inside of the
host_varsfolder, here we have*_vault.ymlfiles which are encrypted
- We use
prettifyIn order to achieve a consistent code style and formatting - Install yarn und run
yarn installinside the project directory to set up the its dependencies yarn run lintwill run the linter and show the results,yarn run prettifywill fix the found issues