Ansible playbooks and other admin tools used to administrate #! servers
HCL Python Shell Makefile
Clone or download
Latest commit 06f85a9 Jul 1, 2018
Permalink
Failed to load latest commit information.
doc Merge PR#106: doc/New admin: Minor improvements Oct 31, 2017
files add benharri to configs Jun 30, 2018
library secrets/ldap: Add a playbook for setting LDAP passwords Nov 20, 2017
roles Update roles/coreos-authorized_keys Nov 17, 2017
secrets secrets/ldap: Add a playbook for setting LDAP passwords Nov 20, 2017
terraform tf/modules/r53/main.tf: Change LDAP DNS records Mar 13, 2018
vault readd my email Jul 1, 2018
.gitattributes Update lists of vault files Sep 6, 2017
.gitignore Terraform: R53 DNS in code May 13, 2017
.gitmodules Refactor CoreOS stuff Dec 14, 2015
.travis.yml Merge branch 'master' into certs Sep 5, 2017
.vault_newpassphrase.sh vault_newpassphrase.sh: Update gpg invocation Aug 1, 2017
LICENSE.md Added LICENSE file. Sep 27, 2015
README.md Update doc and inventory for the SSH port of ldap.#! Jul 1, 2018
ansible.cfg ansible.cfg: Enforce sufficient parallelism to handle all hosts Dec 5, 2017
coreos.yml Use file-local variables to make Emacs load the Ansible minor mode Sep 22, 2017
credentials.yml Avoid using `strategy: free` in playbooks Dec 5, 2017
hosts Update doc and inventory for the SSH port of ldap.#! Jul 1, 2018
irc.yml Avoid using `strategy: free` in playbooks Dec 5, 2017
ldap_ban.yml ldap_ban: Use quoting to guard against spaces in secrets Dec 17, 2017
lint.sh Move secret-handling playbooks to secrets/ Nov 20, 2017
mail.yml Use file-local variables to make Emacs load the Ansible minor mode Sep 22, 2017
secrets.yml secrets/ldap: Add a playbook for setting LDAP passwords Nov 20, 2017
shell.yml Avoid using `strategy: free` in playbooks Dec 5, 2017
vault.yml Use file-local variables to make Emacs load the Ansible minor mode Sep 22, 2017
vault_passphrase.pgp add re-encrypted vault passphrase Jul 1, 2018
vault_passphrase.sh add my key fingerprint to RECIPIENTS Jul 1, 2018

README.md

#! Admin Tools

Ansible playbooks and other admin tools/docs for maintaining the #! network.

Requirements

  • Recent version of Ansible
  • Local #! pass database
  • User with sudo access on all servers

Git configuration

You might also want to use the following snippet in ~/.gitconfig:

[diff "gpg"]
	textconv = gpg --no-tty --decrypt
	cachetextconv = false
[diff "ansible-vault"]
	textconv = ansible-vault view
	cachetextconv = false

SSH configuration

All the “service servers” (as opposed to shell servers) listen for SSH on port 8993 (ASCII-encoding of #!), and the user is core, with the following exceptions:

  • lon1.irc.hashbang.sh and sfo1.irc.hashbang.sh do not yet follow that convention;
  • git-infra.hashbang.sh is a service hosted on nyc3.apps.hashbang.sh which uses port 22.

This is expressed in the following .ssh/config snippet:

Host da1.hashbang.sh ny1.hashbang.sh sf1.hashbang.sh to1.hashbang.sh
     User your_nick

Host git-infra.hashbang.sh
     User git

Host sfo1.irc.hashbang.sh ldap.hashbang.sh
     User core

Host *.hashbang.sh hashbang.sh
     User core
     Port 8993

Playbooks

There are several playbooks present here:

  • shell.yml is used to synchronise the configuration (incl. installed packages) across the shell servers.

  • credentials.yml is used to deploy the admin's SSH keys across all servers:

    • admins can login as root on the shell servers;
    • they can login as core on the CoreOS servers.
  • coreos.yml performs CoreOS-specific tasks. Currently, it only bootstraps the Ansible agent's dependencies.

  • mail.yml deploy the mail aliases and Postfix configuration.

  • irc.yml deploys static and templated configuration to the IRC servers, including oper blocks for users defined in group_vars/all/users.yml.

  • ldap_ban.yml disables a user's account in LDAP and terminate their sessions on the shell servers. Invoke as follows:

      ansible-playbook ldap_ban.yml -e 'user=${USERNAME}'
    

Usage

Install a package

See doc/Installing_packages.md.

Making a configuration change

  1. Prepare your change for shell-etc, test it locally.
  2. Create a pull-request for it on Github, wait for a review.
  3. Perform a signed merge into master: git merge -S --no-ff branch
    Only merge into master things that you will deploy immediately. Do not merge if you aren't in a position to follow-up with a deploy.
  4. Run the shell.yml playbook, see below.

Sync packages & configuration across all shell servers

Simply run the appropriate Ansible playbook:

ansible-playbook shell.yml