Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add: ansible playbook for configuring new caching content servers #4

Merged
merged 1 commit into from Nov 30, 2020

Conversation

LordAro
Copy link
Member

@LordAro LordAro commented Nov 17, 2020

First pass. Everything runs successfully, but further changes are probably required.

Still to do:

  • Configure IPv6 (How? Consider configuring networking with systemd-networkd)
  • Do something with bananas-notifier.py ?
  • Actually test the content caching (I didn't have any real URLs to test with)

Copy link
Member

@TrueBrain TrueBrain left a comment

Nice :D

Bunch of comments, most because I wasn't sure if you remembered these requests on IRC or if they got lost in the void :) So just a kind reminder we need those before we can go live with this :)

Regarding IPv6, as mentioned on IRC:
https://docs.ovh.com/gb/en/vps/configuring-ipv6/#persistent-application-on-debian-and-its-derivatives-ubuntu-crunchbang-steamos

URLs to test with:
https://bananas.cdn.staging.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
https://bananas.cdn.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz

So valid URLs should also be:
https://bananas-1.cdn.staging.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
https://bananas-1.cdn.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
And same for http instead of https and 2 instead of 1 :)

This is OpenGFX, so we can just publicly announce the md5sum :D

ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/files/sshd_config Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
@TrueBrain
Copy link
Member

TrueBrain commented Nov 17, 2020

Shouldn't we also provision authorized_keys via Ansible? At least that keeps it clear here too who has access to those boxes? (once again, honest question)

@LordAro
Copy link
Member Author

LordAro commented Nov 17, 2020

We can do, if you'd like to do user management via ansible as well - I wouldn't want everyone to share the debian user in that case. I was kinda avoiding it and just using the debian user.

@TrueBrain
Copy link
Member

TrueBrain commented Nov 17, 2020

I would like to avoid if only 1 person has access to the VPSes. We used to share the password to it, but .. that is these days not the best thing to do :D So any form of having more than 1 person with access would be my preference.

Personally, I wouldn't care if that is the debian user, as the SSH logs which SSH key gained access to the account anyway. But I leave that up to you :)

Cheers for the other changes!

ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
Copy link
Member

@TrueBrain TrueBrain left a comment

Some minor things, mostly this looks fine to me :)

ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/content-servers.yml Outdated Show resolved Hide resolved
ansible/group_vars/all Show resolved Hide resolved
ansible/group_vars/bananas_fileservers Outdated Show resolved Hide resolved
ansible/group_vars/bananas_fileservers Outdated Show resolved Hide resolved
ansible/group_vars/bananas_fileservers Outdated Show resolved Hide resolved
@LordAro LordAro force-pushed the ansible-content branch 2 times, most recently from c93e618 to f694797 Compare Nov 18, 2020
@TrueBrain
Copy link
Member

TrueBrain commented Nov 18, 2020

Tested:

  • IPv4 / IPv6
  • Staging / Production
  • Cache

So LGTM.

Things worth considering:

  • Add firewall to only allow 22/80/443, "just in case"
  • Remove X- headers from cache return: X-Cache, X-Amz-Cf-Pop, X-Amz-Cf-Id. It feels weird to keep those in the cached results. But I am not sure about it, so I need opinions :)

@LordAro
Copy link
Member Author

LordAro commented Nov 18, 2020

What sort of firewall are you considering? ufw? It's already running nftables as part of sshguard, could make use of that

Seems reasonable to drop those headers if they're not useful, but I've no idea what they're for or if they matter

@TrueBrain
Copy link
Member

TrueBrain commented Nov 19, 2020

I dunno ... pick one? I personally would just slam in some iptables rules, but I don't know all these fancy new things :P I am sure ansible has something for that :D

Regarding the headers, they are AWS headers, and can be dropped safely, without any issue. They just indicate which server responded to the request, so you can trace problems (if any). The X-Cache indicates if the AWS server had it in his cache, and can be ignored safely too. It really doesn't matter, but it is "nicer" to remove them, but in no way required.

@LordAro
Copy link
Member Author

LordAro commented Nov 19, 2020

I'd use iptables too! I only found out about nftables after looking into why sshguard wasn't working as i was expecting
https://github.com/ipr-cnrs/nftables exists, and would probably be the way to go with nftables, but I'd need to read some more about it to actually work out what's needed

Removing cache headers seems the way to go, I presume it's easy enough to do

@LordAro
Copy link
Member Author

LordAro commented Nov 23, 2020

Done. I think. I had to do some manual "recovery" work along the way, so I can't be quite certain that the playbook would all work from a "completely clean" install, but it's basically right. (If you reset one of them for me, I'm happy to try!)

Firewall implemented with firewalld & nftables (shiny and new!). Only required a small amount of stuff installed from buster-backports to make it work :) . Tested by running an http server on port 8000 and disabling the firewall. Even remembered to allow DHCP before the lease expired and everything fell over!

Cache headers removed as well - remaining:

 > curl -I https://bananas-1.cdn.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
HTTP/2 200 
server: nginx/1.14.2
date: Mon, 23 Nov 2020 22:34:02 GMT
content-type: application/x-tar
content-length: 3534047
last-modified: Mon, 27 Apr 2020 11:22:22 GMT
age: 75073
x-cache-status: HIT
accept-ranges: bytes

Copy link
Member

@TrueBrain TrueBrain left a comment

LGTM! Nice job :D

@LordAro LordAro merged commit 3c01bab into master Nov 30, 2020
5 checks passed
@LordAro LordAro deleted the ansible-content branch Nov 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants