This is a collection of Ansible playbooks used in the deployment of the MITOC Trips web site, MITOC membership & waiver processing, and related infrastructure. The project allows local development on a setup closely mirroring that of production as well as a streamlined way to deploy changes.
There are playbooks supporting three separate environments:
Local development (
For local development, all services run within a virtual machine. Vagrant is used to automate the creation and modification of this virtual machine. To create a new virtual machine and provision it with Ansible, simply run:
After that, you will have a fully functional web server accessible at https://mitoc-trips.local
This playbook allows running all infrastructure on AWS. By default, it runs a Postgres server on the same instance as the webserver, but could easily be configured to use RDS instead.
Just like a local development machine, the EC2 instance can easily be created using Vagrant.
Store AWS credentials in
.aws/credentialsor directly in the
Create a keypair or import an existing one.
Install and configure
vagrant plugin install vagrant-aws vagrant box add dummy https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box
Launch a new EC2 instance:
vagrant up --provider=aws
The production playbook contains various secrets used in production, including (but not limited to):
- The Django
- Full SSL certificate for mitoc-trips.mit.edu
- Usernames, hostnames, and passwords for various services, including:
It also uses some more time-intensive plays that wouldn't be necessary in development (for example - generating a strong Diffie-Hellman group).
For obvious reasons, secrets within this file are encrypted using Ansible
In the public version of this repository, I have used
git filter-branch to
redact encrypted secrets (if we make the encrypted secrets open source, one could
theoretically brute-force the Ansible-vault password).
This repository originally used
ansible-vault to encrypt entire files, but
later transitioned to using
encrypt_string. The following
multi-line regular expression substitution can redact both types of secret
storage in Git history:
# When !vault is present, it indicates output from `encrypt_string`. # When !vault is absent, we're matching (and replacing) an entire file encrypted with Ansible-vault regex='(!vault \|\n)?' # The `$ANSIBLE_VAULT` string indicates encrypted contents from `ansible-vault`. # The capture group includes the version and the algorithm used for encryption regex+='\s*\$ANSIBLE_VAULT;(.*)' # All lines following `$ANSIBLE_VAULT` are output from Python's `hexify()` regex+='(\n\s*[0-9a-f]+)*' # Finally, we capture the final newline regex+='\n' # Any encrypted content is replaced, inline, with 'REDACTED' perl -0777 -i -pe "s/$regex/REDACTED\n/g" $1;
Production (an EC2 instance running Ubuntu server) is deployed directly with Ansible:
ansible-playbook -i hosts production.yml -u ubuntu --private-key=<path_to_iam_user_key>
The repository is a modified fork of Johnathan Calazan's ansible-django-stack.