Training is an indispensable part for personal or profesional experiences.
For different reasons, it is not always easy to give time to it.
When I write an Ansible role, I try to make it complete and idempotent. This forces me to have a full knowledge on how a tool operates.
To avoid manual actions, I want to be able to manage my while infrastructure with Ansible:
- tools and services
- different OS: Debian GNU/Linux et OpenBSD
- links and flows between the different elements
- I want to add some security layers (to the best I can):
- there will be users for services and users for data
- unix rights will be strict (if groups are not shared or if there is no privileges escalation: no visilibity on other users data)
- resource management (using cgroups and systemd or the limits.conf file from OpenBSD)
- SSL for all communications
To find potential errors, I deploy all my role in a hostil environment: a dedicated machine where all services coexist and without any VMs or containers.
Of course, I don’t shrug immutability off. It’s a also key part of a sane infrastructure but it requires a fully-working one (from packaging to alerting).
As I don’t have yet enough tools to maintain any immutable services, I won’t work on it.
I therefore write my roles to answer those needs and they are available here: https://git.t18s.fr/.
The playbooks I used to deploy everything on my infrastructure are here: https://git.t18s.fr/ansible-playbooks/.
All roles and playbooks answer my own needs.
I try to make them abstract but it is impossible to make them work in all use-cases.
It is thus possible that they won’t work as you wish: be prepared.
I hope however they can be used as a basis to your own developments.
The roles and playbooks I’ve made, allow me to deploy:
- a basic Debian system
- content servers (pfinger, pgopher, web)
- a secrets manager (bitwarden)
- an infrastructure of secrets management (consul and vault)
- git repositories (cgit)
- bitcoin-core services (btc, ltc, mnc)
From my initial plans, I still need to:
- rework the monitorigin roles (for collectd, InfluxDB, Prometheus, Grafana)
- add monitoring tasks to the different elements of the infrastructure
- find a better handling method for mails in crontab
- add a Lightning Network process for the bitcoin and litecoin network
- make all roles OpenBSD-compatible
- add tests for the roles (with molecule)
- rework the handlers (use listen everywhere)
- add more services (like a search-egnine)