ansible

Inventory and automation of NeonTech infrastructure using Ansible. Ansible's sample alternative directory layout is adhered to for this repository.

Requirements

Skip this section if running playbooks on NeonTech infrastructure.

Otherwise, significant changes to this repository are required to have playbooks function as intended. The following list is currently not exhaustive (contributions welcome!):

1. Create a password and store it securely. It is recommended to use a trusted password manager and/or ferroelectric USB. This will be needed to encrypt files using ansible-vault.

2. Find and replace every instance of neontech.dev with a new domain.

3. Remove all content from known_hosts, but do not delete the file.

4. Replace all SSH public/private keys for every host in ssh. SSH public/private keys can be generated by executing the following: ssh-keygen -t ed25519 -a 100 -C "ansible" -N '' -q -f ./ssh/<environment>/<host>_<user>_ed25519. Remember to encrypt the private keys using ansible-vault.

5. Replace the public certificates in roles/step_ca/files/certs. Step CA can be initialized locally to generate valid certificates.

   a. Replace ca_fingerprint in inventories/<environment>/group_vars/all/ca.yml.

6. Delete all encrypted variable files in inventories by searching for $ANSIBLE_VAULT;1.1;AES256. Recreate the variable files by using known vault_ variables used in their respective, non-encrypted, file. Remember to encrypt the recreated files using ansible-vault.

7. Edit all unencrypted variable files as needed. Refer to roles/<role>/defaults for available variables.

It is also important to keep in mind this repository is currently in active development. There are gaps in the automation as indicated by TODO comments and breaking changes may occur spontansiously without warning. USE AT YOUR OWN RISK!

Getting Started

1. Clone the repository:

   git clone https://github.com/NeonTech/ansible.git

2. Set the working directory as the root of the repository:

   cd ansible

3. Initialize the repository:

   scripts/initialize.sh

4. Test connections to hosts:

   ansible all --inventory inventories/<environment>/hosts --vault-password-file vault-password-file --module-name ansible.builtin.ping

5. Run the site.yml playbook to deploy everything:

   ansible-playbook site.yml --inventory inventories/<environment>/hosts --vault-password-file vault-password-file