105 lines
4.5 KiB
Markdown
105 lines
4.5 KiB
Markdown
# Project Segfault Ansible (Production)
|
|
|
|
These are the ansible configs used in production on Project Segfault servers.
|
|
|
|
We have 2 different playbooks, one for setting up the basic things every one of our servers needs, and one for managing docker and caddy for our geographic nodes (mostly Privacy Frontends)
|
|
|
|
The configs/compose files for the Privacy Frontends are included here as well.
|
|
|
|
All files under this repo are licensed under the GPLv3, unless specified otherwise.
|
|
|
|
## Running Playbook(s)
|
|
Firstly, you need to install dependencies, which can be done with the following:
|
|
```
|
|
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
|
|
```
|
|
Then, you can run the all playbook as such
|
|
```
|
|
ansible-playbook all/playbook.yaml # Initialize
|
|
```
|
|
For Privacy Frontends playbook, you need access to the ansible vault password, which you'll have if you are a segfault sysadmin :)
|
|
```
|
|
ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass privfrontends/playbook.yaml
|
|
```
|
|
Additionally, you can make use of the following ansible tags:
|
|
- caddy-non-update \- update Caddy configs but don't update caddy itself
|
|
- docker \- run docker compose stuff
|
|
- cron \- setup cronjobs for hourly restarts
|
|
|
|
Tags can be used with the following syntax: `--tag tag1,tag2,tag3`
|
|
## Ansible Vaults
|
|
Many parts of our privacy frontends configurations are meant to be private, such as HMAC keys and database passwords.
|
|
|
|
Hence, these are stored as variables using ansible-vault.
|
|
|
|
There are two different ansible-vaults in use in our setup, encrypted `host_vars` files per-host, and a global `secrets.enc`.
|
|
|
|
### secrets.enc
|
|
`/secrets.enc` contains private variables that are same for all our servers.
|
|
Currently, it contains the following: (as of 9/6/23)
|
|
- rfc2136_key \- RFC2136 key for DNS01
|
|
- watchtower_mtrx_pass \- Watchtower Matrix password
|
|
|
|
### host_vars
|
|
host_vars are dynamic variables that can be different for each host.
|
|
We have two encrypted host_vars files in our setup, one for the services, and one for healthchecks on cronjobs.
|
|
#### healthchecks.yaml (as of 9/6/23)
|
|
- invidious_hc_uuid - UUID for invidious hourly restart
|
|
- teddit_hc_uuid - UUID for teddit hourly restart
|
|
#### privfrontends_secrets.yaml (as of 9/6/23)
|
|
- scribe_secret_key_base
|
|
- nitter_hmac_key
|
|
- librarian_auth_token
|
|
- librarian_hmac_key
|
|
- searxng_secret_key
|
|
- anonymousoverflow_signing_secret
|
|
|
|
## Playbooks
|
|
### all
|
|
The `all` playbook contains the basics needed for every server on our infrastructure.
|
|
As of 9/6/23, it does the following:
|
|
- Installs vim, curl, wget, sudo, netstat, nmap, pip, chrony (ntp), vnstat (bw monitoring)
|
|
- Enables systemd services for VNStat and Chrony
|
|
- Adds bash configuration
|
|
- Creates users for the sysadmins and adds their ssh keys to it
|
|
- Allows sudo without password
|
|
- Adds an extra authorized_key on Soleil Levant servers for sshpiper
|
|
- Adds custom sshd configuration
|
|
### privfrontends
|
|
Our Geographic Privacy Frontends nodes are managed with this playbook.
|
|
As of 9/6/23, it does the following:
|
|
- Uses the caddy-ansible role to setup a caddy instance with the rfc2136 plugin added
|
|
- Copies per-server extras files
|
|
- Sets up the privacy frontends from a pre-defined list (it does ignore if there isnt any config change however to make sure its not extremely slow)
|
|
- Restart certain services every hour since they aren't very stable
|
|
|
|
## Adding new services
|
|
Firstly, add the thing to `docker_services` array/var in `/privfrontends/playbook.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence.
|
|
|
|
Then, create the `/compose/SERVICE_NAME` directory and add the compose file (compose.yml.j2) to the same. You can use the `{{inventory_hostname}}` variables where required.
|
|
|
|
If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P
|
|
|
|
Past this, Caddy needs to be configured.
|
|
|
|
The common GeoDNS configuration can be done following this format
|
|
```
|
|
SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt SERVICE_SHORT_NAME.psf.lt SERVICE_SHORT_NAME.{{inventory_hostname}}.psf.lt {
|
|
reverse_proxy :PORT
|
|
import def
|
|
import torloc SERVICE_NAME
|
|
}
|
|
```
|
|
|
|
To setup TOR, you have to add the following to privfrontends/templates/eu/darknet.Caddy
|
|
```
|
|
http://SERVICE_NAME.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
|
|
import tor SERVICE_NAME
|
|
reverse_proxy :PORT
|
|
}
|
|
```
|
|
|
|
Past this, you can run the deployment as outlined in the beginning.
|
|
|
|
Please inform me (Arya) if any part of this documentation isn't clear, I suck at writing documentation.
|