Merge pull request #377 from multinet-app/ansible-ssl

All ansible steps for ssl and add vagrant back for testing
multinet-app · May 5, 2020 · 950f476 · 950f476
2 parents 02e6899 + b594996
commit 950f476
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 4 deletions.
diff --git a/devops/.gitignore b/devops/.gitignore
@@ -0,0 +1,2 @@
+.vagrant/
+ubuntu-bionic-18.04-cloudimg-console.log
diff --git a/devops/README.md b/devops/README.md
@@ -4,14 +4,29 @@ The `arangodb.yml` Ansible playbook in this directory installs and configures
 ArangoDB on an Ubuntu server. It does the following:
 - installs ArangoDB
 - sets a password on the root account
-- configures it to listen on all interfaces
+- copies an SSL certificate to the server
+- configures it to listen on all interfaces using SSL
 - starts the service
 
 To set the root account password, you can either supply it on the command line
 (see below) or just let Ansible prompt you for it.
 
-To run it via ssh, run a command such as the following:
+To use a wildcard SSL certificate for your domain you'll need to supply one (we use Let's Encrypt) and pass in the file path to the command.
+If you're using a provider other than Let's Encrypt, you'll have to modify the playbook to work with your provider and file structure. 
+If you're using Let's Encrypt, follow along with [this](https://medium.com/@saurabh6790/generate-wildcard-ssl-certificate-using-lets-encrypt-certbot-273e432794d7) 
+guide to generate a wildcard certificate. This playbook assumes you have the certificate files, that they're in the default location, and that they are readable by the user running the ansible playbook.
+If you don't want a ssl certificate, you'll have to modify the playbook and remove the `ssl_cert_path` env var from the command below.
+
+To run the ansible playbook via ssh, run a command such as the following:
+
+```
+ansible-playbook arangodb.yml -i <target-hostname>, --ssh-extra-args="-i <identity.pem>" -e arangodb_root_password=<password> ssl_cert_path=<path-to-files>
+```
+
+# Vagrant
+
+To test locally, you can use vagrant. Vagrant is a python package that is easily installed on most systems. If you need help installing it, please read the [docs](https://www.vagrantup.com/docs/installation/). Once you have Vagrant installed, you can run the vagrant file using:
 
 ```
-ansible-playbook arangodb.yml -i <target-hostname>, --ssh-extra-args="-i <identity.pem>" -e arangodb_root_password=<password>
+vagrant up
 ```
diff --git a/devops/Vagrantfile b/devops/Vagrantfile
@@ -0,0 +1,20 @@
+Vagrant.require_version ">= 1.7.0"
+
+Vagrant.configure(2) do |config|
+
+  config.vm.provider "virtualbox" do |v|
+    v.name = "multinet-ubuntu-arango-test"
+    v.memory = 4096
+    v.cpus = 2
+  end
+
+  config.vm.box = "ubuntu/bionic64"
+  config.ssh.insert_key = false
+
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "arangodb.yml"
+    ansible.raw_arguments  = [
+      "-e arangodb_root_password=letmeinvfile"
+    ]
+  end
+end
diff --git a/devops/arangodb.yml b/devops/arangodb.yml
@@ -9,6 +9,10 @@
     - name: arangodb_root_password
       prompt: "Password for ArangoDB root account"
 
+    - name: ssl_cert_path
+      prompt: "Path to parent SSL cert directory"
+      default: "/etc/letsencrypt/live/multinet.app/"
+
   tasks:
     # https://www.arangodb.com/download-major/ubuntu/
     - name: Add arangodb release key
@@ -42,11 +46,45 @@
       shell: ARANGODB_DEFAULT_ROOT_PASSWORD={{ arangodb_root_password }} arango-secure-installation
       become: true
 
+    - name: Copy the SSL certificate files to the server
+      copy:
+        src: '{{ ssl_cert_path }}'
+        dest: /home/ubuntu/
+        local_follow: yes
+        mode: u=rw,g=,o=
+      become: true
+
+    - name: Combine the chain and the private key into one file (required by arango)
+      shell:
+        chdir: /home/ubuntu/
+        cmd: cat fullchain.pem privkey.pem > server.pem
+      become: true
+
+    - name: Set the combined file as 600 permission
+      file:
+        path: /home/ubuntu/server.pem
+        mode: u=rw,g=,o=
+      become: true
+
+    - name: Add an exception to the permissions for the arangodb user
+      shell:
+        chdir: /home/ubuntu/
+        cmd: setfacl -m u:arangodb:r server.pem
+      become: true
+
+    - name: Add the SSL filepath to the config
+      blockinfile:
+        path: /etc/arangodb3/arangod.conf
+        block: |
+          [ssl]
+          keyfile = /home/ubuntu/server.pem
+      become: true
+
     - name: Enable arangodb to listen on all interfaces
       lineinfile:
         path: /etc/arangodb3/arangod.conf
         regexp: '^endpoint ='
-        line: "endpoint = tcp://0.0.0.0:8529"
+        line: "endpoint = ssl://0.0.0.0:8529"
       become: true
 
     - name: Start arangodb service