ansible: first draft

Pedro Lucas Porcellis porcellis@eletrotupi.com 7 days ago 86679dd1e585488c3744a5531456068a708f0eb1

Parents: 63f2fd3

8 file(s) changed

ansible/inventory/group_vars/all.yml +10 -0
ansible/inventory/hosts.yml +6 -0
ansible/provision.yml +36 -0
ansible/requirements.yml +4 -0
ansible/roles/appuser/tasks/main.yml +24 -0
ansible/roles/bootstrap/tasks/main.yml +18 -0
ansible/roles/directories/tasks/main.yml +42 -0
ansible/roles/docker/tasks/main.yml +18 -0

ansible/inventory/group_vars/all.yml

@@ -0,0 +1,10 @@
  + # The deploy user to create
  + deploy_user: deploy
  + 
  + # The SSH public key that will be authorised for the deploy user
  + deploy_ssh_pubkey_file: ~/.ssh/nexo_deploy_key.pub
  + 
  + # App directories to create under /srv/app
  + app_environments:
  +   - production
  +   - staging

ansible/inventory/hosts.yml

@@ -0,0 +1,6 @@
  + all:
  +   hosts:
  +     vps:
  +       ansible_host: 172.237.61.17
  +       ansible_user: eletrotupi
  +       ansible_ssh_private_key_file: ~/.ssh/id_ed25519

ansible/provision.yml

@@ -0,0 +1,36 @@
  + ---
  + # ansible/provision.yml
  + # Run once to fully provision the VPS.
  + #
  + # Usage:
  + #   ansible-playbook -i inventory/hosts.yml provision.yml --ask-become-pass
  + #
  + # What it does (in order):
  + #   1. bootstrap  — adds baseline packages
  + #   2. docker     — installs Docker Engine + Compose plugin
  + #   3. appuser    — creates the deploy user, copies the SSH key
  + #   4. directories — creates /srv/app/production
  + #   5. TODO: Add nginx + compose here as well
  + 
  + - name: Provision server
  +   hosts: vps
  +   become: yes
  +   become_method: doas
  + 
  +   roles:
  +     - bootstrap
  +     - docker
  +     - appuser
  +     - directories
  + 
  +   post_tasks:
  +     - name: Confirm deploy user can reach Docker
  +       ansible.builtin.command: docker info
  +       become_user: "{{ deploy_user }}"
  +       changed_when: false
  +       register: docker_check
  + 
  +     - name: Show Docker status
  +       ansible.builtin.debug:
  +         msg: "Docker is reachable by {{ deploy_user }}"
  +       when: docker_check.rc == 0

ansible/requirements.yml

@@ -0,0 +1,4 @@

1 + ---

2 + collections:

3 + - name: community.general # apk module, and others

4 + - name: ansible.posix # authorized_key (and other stuff) modules

ansible/roles/appuser/tasks/main.yml

@@ -0,0 +1,24 @@
  + ---
  + # Creates the deploy user, authorises the deploy key
  + 
  + - name: Create deploy group
  +   ansible.builtin.group:
  +     name: "{{ deploy_user }}"
  +     state: present
  + 
  + - name: Create deploy user
  +   ansible.builtin.user:
  +     name: "{{ deploy_user }}"
  +     group: "{{ deploy_user }}"
  +     groups: docker
  +     append: yes
  +     password: x # XXX: lazy, dumb password, replace with a encrypted vault
  +     shell: /bin/bash
  +     create_home: yes
  +     state: present
  + 
  + - name: Authorise deploy SSH public key
  +   ansible.posix.authorized_key:
  +     user: "{{ deploy_user }}"
  +     state: present
  +     key: "{{ lookup('file', deploy_ssh_pubkey_file) }}"

ansible/roles/bootstrap/tasks/main.yml

@@ -0,0 +1,18 @@
  + ---
  + # roles/bootstrap/tasks/main.yml
  + # Minimal server packages for Alpine Linux.
  + 
  + - name: Update apk cache
  +   community.general.apk:
  +     update_cache: yes
  + 
  + - name: Install baseline packages
  +   community.general.apk:
  +     name:
  +       - htop
  +       - vim
  +       - git
  +       - bash
  +       - docker
  +       - uacme
  +     state: present

ansible/roles/directories/tasks/main.yml

@@ -0,0 +1,42 @@
  + ---
  + # Creates /srv/app/{production,staging} owned by the deploy user
  + 
  + - name: Ensure /srv/app exists
  +   ansible.builtin.file:
  +     path: /srv/app
  +     state: directory
  +     owner: "{{ deploy_user }}"
  +     group: "{{ deploy_user }}"
  +     mode: "0750"
  + 
  + - name: Create per-environment directories
  +   ansible.builtin.file:
  +     path: "/srv/app/{{ item }}"
  +     state: directory
  +     owner: "{{ deploy_user }}"
  +     group: "{{ deploy_user }}"
  +     mode: "0750"
  +   loop: "{{ app_environments }}"
  + 
  + - name: Add README so the directories aren't mysterious
  +   ansible.builtin.copy:
  +     dest: "/srv/app/{{ item }}/README"
  +     owner: "{{ deploy_user }}"
  +     group: "{{ deploy_user }}"
  +     mode: "0640"
  +     content: |
  +       {{ item }} environment
  +       ----------------------
  +       docker-compose.yml  — compose file for this environment
  +       .env.{{ item }}     — secrets
  +       .env                — required by docker's arg variables
  +       valkey.conf         — valkey config
  +   loop: "{{ app_environments }}"
  + 
  + - name: Ensure /srv/static exists for thesis
  +   ansible.builtin.file:
  +     path: /srv/static
  +     state: directory
  +     owner: "{{ deploy_user }}"
  +     group: nginx
  +     mode: "0750"

ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,18 @@
  + ---
  + # Installs Docker Engine + Compose plugin on Alpine Linux.
  + - name: Update apk cache
  +   community.general.apk:
  +     update_cache: yes
  + 
  + - name: Install Docker and Compose plugin
  +   community.general.apk:
  +     name:
  +       - docker
  +       - docker-cli-compose
  +     state: present
  + 
  + - name: Enable Docker service
  +   ansible.builtin.service:
  +     name: docker
  +     enabled: yes
  +     state: started