Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.

README.md

Ansible playbook for MONARC deployement

This playbook is used to deploy the whole MONARC architecture in accordance to the figure below.

MONARC architecture

Ansible roles

There are three roles, described below.

monarcco

Common tasks for the front office and the back office.

monarcbo

Backoffice.

monarcfo

Frontoffice. Can be multiple installation per client to balance to the load.

Requirements

  • Git and Python 3 on all servers (using poetry is recommended);
  • Ansible must be installed on the configuration server;
  • Postfix on the BO and all FO servers (for the password recovery feature of MONARC).

Get the playbook for MONARC and install Ansible on the configuration server:

$ git clone https://github.com/monarc-project/ansible-ubuntu.git
$ cd ansible-ubuntu/
$ poetry install
$ poetry shell

Configuration

  • create a user named ansible on each server:

    • sudo adduser ansible
  • generate a SSH key for the user ansible on the configuration server:

    • ssh-keygen -t rsa -C "your_email@example.com"
  • from the configuration server: ssh-copy-id ansible@BO/FO/RPX

  • add the user ansible in the sudo group:

    • sudo usermod -aG sudo ansible
  • add the user www-data in the ansible group:

    • sudo usermod -aG ansible www-data
  • give the permission to ansible to use sudo without password:

    • add ansible ALL=(ALL:ALL) NOPASSWD:ALL in the file /etc/sudoers with visudo
  • create a configuration file, inventory/hosts, for Ansible:

      [dev]
      FO
    
      [dev:vars]
      master= "BO"
      publicHost= "monarc.example.com"
    
      [master]
      BO monarc_sql_password="password"
    
      [rpx]
      RPX.localhost
    
      [monarc:children]
      rpx
      master
      dev
    
      [monarc:vars]
      env_prefix=""
      clientDomain="monarc.example.com"
      emailFrom="info@example.com"
      github_auth_token="<your-github-auth-token>"
      protocol="https"
      certificate="sslcert.crt"
      certificatekey="sslcert.key"
      certificatechain="sslcert.crt"
      bourlalias="monarcbo"
      localDNS="example.com"
      terms="https://my.monarc.lu/terms.html"
      stats_service="/var/lib/monarc/stats-service"
    

    The variable monarc_sql_password is the password for the SQL database on the BO.

  • finally, launch Ansible:

      ansible@CFG:~/ansible-ubuntu/playbook$ ansible-playbook -i ../inventory/ monarc.yaml --user ansible
    

Ansible will install and configure the back office, the front office and the reverse proxy. Consequently the configuration server should be able to contact these servers through SSH.

Notes

Updating the inventory of Ansible

Adding/removing an attribute for the ansible inventory can be done with the script update.sh via cron as the user 'ansible'.

ansible@CFG:~$ crontal -l
/home/ansible/ansible-ubuntu/playbook/update.sh /home/ansible/ansible-ubuntu/playbook/ $BO_ADDRESS `which ansible-playbook`

Optionally as a fourth argument you can specify the Python executable (environment) to use.

The script update.sh will:

  • update the inventory of Ansible;
  • launch Ansible for the creation/suppression of clients;
  • synchronize the template of deliveries.

The add_inventory.py and del_inventory.py scripts are used to dynamically edit the inventory files of the configuration server. These scripts are used by update.sh.

You can use list_inventory.py to check all the current clients in the inventory of Ansible. If you want to check the connectivity between the configuration server and the front office servers:

ansible@CFG:~$ ./list_inventory.py ../inventory/ | cut -f 1 -d ' ' | uniq | xargs -n 1 ping -w 1

Inventory migrations

1. Add statsToken

This migration adds a Stats Service token (statsToken) to the clients without this token.

ansible@CFG:~/ansible-ubuntu/inventory/migrations$ ./001-add_stats_token_to_inventory.py ../

TLS certificate

Self-signed certificate

Generation of the certificate:

sudo openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout /etc/sslkeys/monarc.key -out /etc/sslkeys/monarc.crt

Then provide the address of the certificate (here monarc.crt) and the address of the certificate key in the configuration file (inventory/hosts). You can generally set certificatechain to the empty string.

Let's Encrypt certificate

Generation of the certificate:

sudo -E letsencrypt certonly --agree-tos -m <your-email> --webroot -d <clientDomain> -w /var/www/letsencrypt/

Then simply set the value of certificate to letsencrypt.
And set the values of certificatekey and certificatechain to the empty string.

Postfix

Installation of Postfix on the BO and the FO is not done by Ansible. You have to do it manually.

Backup

Ansible keep an up-to-date database backup script on each FO server instances. This script is located at /usr/local/bin/backup_monarc_db.sh and is updated by Ansible on each client creation/deletion.

You just have to set a cron rule in order to launch the script periodically.

The database backups will be placed in the folder /var/lib/mysql-backup/monarc/

Issues

For security issues please contact us to info@cases.lu.

For other issues (ideas, improvements, etc.), you can directly submit it to GitHub

About

Deployment of MONARC with Ansible

Topics

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.