Contained within this repository are various scripts, playbooks, roles, and configs for services I run at home and work. Maybe you find them useful also. It is a work in progress as I return to the field and familiarize myself with the technologies and best practices of today. The tools I currently and primarily use for configuration management are Terraform, Ansible, Docker, and GNU BASH, and that is what you will find here.
For privacy and security reasons I have omitted several files that you will need to generate in addition to cloning this repo:
*NB: Emacs users may simply tangle these source blocks direct from this org file after removing the “examples” directory from the specified :tangle path first*
Not an entirely secure way of doing things but I haven’t really delved too far into this aspect of Terraform just yet. Create the file credentials.auto.tfvars and replace the values with your own. Be sure this file is included within your .gitignore file before pushing to a git repository.
configuration_management/terraform/credentials.auto.tfvars
cloudflare_token_secret = "someSecretTokenGeneratedByCloudFlare"
cloudflare_zone_id = "theZoneIdForThisDomainWithinMyCloudFlareAccount"
cloudflare_domain_0001-id = "theDomainUrlBelongingToTheZoneId"
cloudflare_domain_0001-ip = "theIPAddressForThisDomain"
linode_token = "someSecretTokenGeneratedByMyHostLinode"
pub_ssh_key = "~/.ssh/id_ed25519.pub"
configuration_management/ansible/inventory/hosts.ini
[erp]
erp.example.com
[www]
www.example.com
I use Ansible-Vault to encrypt sensitive variables used within my configurations. If you’ve already cloned this repo you will have a group_vars directory under the ansible directory. Within the group_vars directory create the following tree, where $host is the name of the group for which the vars files apply :
*group_vars*
|
---/$host/
|
--- *vars*
|
--- *vault*
Once you have done this and populated the values for your variables, you can simply encrypt your vault file with the following command:
ansible-vault encrypt configuration-management/ansible/group_vars/erphost/vault
You will be prompted for a password which you can store in a password manager such as KeePassXC.
configuration_management/ansible/group_vars/erp_host/vault
vault_ansible:
host: replaceWithTheIPAddressOfYourHost
user: root
become_pass: someSuperSecretRootPassword
ssh_private_key_file: /home/$USER/.ssh/id_ed25519
vault_erpnext:
admin_pass: supersecretadminpass
domain: erp.example.com
sites:
one: one.erp.example.com
two: two.erp.example.com
three: three.erp.example.com
four: four.erp.example.com
vault_mysql:
database: erpnext
port: 3306
root_user: root
root_pass: supersecretrootpass
user: erpnext
user_pass: supersecretuserpass
vault_traefik:
domain: traefik.example.com
email: [email protected]
password: "$apr1$RS0PWVu.$CeOlrOUtjRBvOiVFb.nhE0"