Skip to content

hashbang/admin-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

491 Commits

doc

doc

 
 

files

files

 
 

library

library

 
 

roles

roles

 
 

secrets

secrets

 
 

terraform

terraform

 
 

vault

vault

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

.travis.yml

.travis.yml

 
 

.vault_newpassphrase.sh

.vault_newpassphrase.sh

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

ansible.cfg

ansible.cfg

 
 

coreos.yml

coreos.yml

 
 

credentials.yml

credentials.yml

 
 

hosts

hosts

 
 

irc.yml

irc.yml

 
 

ldap_ban.yml

ldap_ban.yml

 
 

lint.sh

lint.sh

 
 

mail.yml

mail.yml

 
 

secrets.yml

secrets.yml

 
 

shell.yml

shell.yml

 
 

vault.yml

vault.yml

 
 

vault_passphrase.pgp

vault_passphrase.pgp

 
 

vault_passphrase.sh

vault_passphrase.sh

 
 

Repository files navigation

#! Admin Tools

Ansible playbooks and other admin tools/docs for maintaining the #! network.

Requirements

  • Recent version of Ansible
  • Local #! pass database
  • User with sudo access on all servers

Git configuration

You might also want to use the following snippet in ~/.gitconfig:

[diff "gpg"]
	textconv = gpg --no-tty --decrypt
	cachetextconv = false
[diff "ansible-vault"]
	textconv = ansible-vault view
	cachetextconv = false

SSH configuration

All the “service servers” (as opposed to shell servers) listen for SSH on port 8993 (ASCII-encoding of #!), and the user is core, with the following exceptions:

  • lon1.irc.hashbang.sh and sfo1.irc.hashbang.sh do not yet follow that convention;
  • git-infra.hashbang.sh is a service hosted on nyc3.apps.hashbang.sh which uses port 22.

This is expressed in the following .ssh/config snippet:

Host da1.hashbang.sh ny1.hashbang.sh sf1.hashbang.sh to1.hashbang.sh
     User your_nick

Host git-infra.hashbang.sh
     User git

Host sfo1.irc.hashbang.sh ldap.hashbang.sh
     User core

Host *.hashbang.sh hashbang.sh
     User core
     Port 8993

Playbooks

There are several playbooks present here:

  • shell.yml is used to synchronise the configuration (incl. installed packages) across the shell servers.

  • credentials.yml is used to deploy the admin's SSH keys across all servers:

    • admins can login as root on the shell servers;
    • they can login as core on the CoreOS servers.

  • coreos.yml performs CoreOS-specific tasks. Currently, it only bootstraps the Ansible agent's dependencies.

  • mail.yml deploy the mail aliases and Postfix configuration.

  • irc.yml deploys static and templated configuration to the IRC servers, including oper blocks for users defined in group_vars/all/users.yml.

  • ldap_ban.yml disables user accounts in LDAP and terminates their sessions on the shell servers; it requires python-ldap installed. Invoke as follows:

      ansible-playbook ldap_ban.yml

    For scripting purposes, the script accepts a comma-separated list of users, (users), and a Boolean determining if the homedirs should be deleted (delete).

Usage

Install a package

See doc/Installing_packages.md.

Making a configuration change

  1. Prepare your change for shell-etc, test it locally.
  2. Create a pull-request for it on Github, wait for a review.
  3. Perform a signed merge into master: git merge -S --no-ff branch
    Only merge into master things that you will deploy immediately. Do not merge if you aren't in a position to follow-up with a deploy.
  4. Run the shell.yml playbook, see below.

Sync packages & configuration across all shell servers

Simply run the appropriate Ansible playbook:

ansible-playbook shell.yml

About

Ansible playbooks and other admin tools used to administrate #! servers

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

17 stars

Watchers

21 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 14

Languages