diff --git a/README.md b/README.md index 9911c6f..8ffccb3 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,82 @@ -# Testing ansible +# Project Segfault Ansible (Production) + +These are the ansible configs used in production on Project Segfault servers. + +We have 2 different playbooks, one for setting up the basic things every one of our servers needs, and one for managing docker and caddy for our geographic nodes (mostly Privacy Frontends) + +The configs/compose files for the Privacy Frontends are included here as well. + +All files under this repo are licensed under the GPLv3, unless specified otherwise. + +## Running Playbook(s) +Firstly, you need to install dependencies, which can be done with the following: ``` ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force -# All servers +``` +Then, you can run the all playbook as such +``` ansible-playbook all/playbook.yaml # Initialize -# Privacy Frontends +``` +For Privacy Frontends playbook, you need access to the ansible vault password, which you'll have if you are a segfault sysadmin :) +``` ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass privfrontends/playbook.yaml ``` -To add secrets: `ansible-vault edit secrets.enc` +Additionally, you can make use of the following ansible tags: +- caddy-non-update \- update Caddy configs but don't update caddy itself +- docker \- run docker compose stuff +- cron \- setup cronjobs for hourly restarts + +Tags can be used with the following syntax: `--tag tag1,tag2,tag3` +## Ansible Vaults +Many parts of our privacy frontends configurations are meant to be private, such as HMAC keys and database passwords. + +Hence, these are stored as variables using ansible-vault. + +There are two different ansible-vaults in use in our setup, encrypted `host_vars` files per-host, and a global `secrets.enc`. + +### secrets.enc +`/secrets.enc` contains private variables that are same for all our servers. +Currently, it contains the following: (as of 9/6/23) +- rfc2136_key \- RFC2136 key for DNS01 +- watchtower_mtrx_pass \- Watchtower Matrix password + +### host_vars +host_vars are dynamic variables that can be different for each host. +We have two encrypted host_vars files in our setup, one for the services, and one for healthchecks on cronjobs. +#### healthchecks.yaml (as of 9/6/23) +- invidious_hc_uuid - UUID for invidious hourly restart +- teddit_hc_uuid - UUID for teddit hourly restart +#### privfrontends_secrets.yaml (as of 9/6/23) +- scribe_secret_key_base +- nitter_hmac_key +- librarian_auth_token +- librarian_hmac_key +- searxng_secret_key +- anonymousoverflow_signing_secret + +## Playbooks +### all +The `all` playbook contains the basics needed for every server on our infrastructure. +As of 9/6/23, it does the following: +- Installs vim, curl, wget, sudo, netstat, nmap, pip, chrony (ntp), vnstat (bw monitoring) +- Enables systemd services for VNStat and Chrony +- Adds bash configuration +- Creates users for the sysadmins and adds their ssh keys to it +- Allows sudo without password +- Adds an extra authorized_key on Soleil Levant servers for sshpiper +- Adds custom sshd configuration +### privfrontends +Our Geographic Privacy Frontends nodes are managed with this playbook. +As of 9/6/23, it does the following: +- Uses the caddy-ansible role to setup a caddy instance with the rfc2136 plugin added +- Copies per-server extras files +- Sets up the privacy frontends from a pre-defined list (it does ignore if there isnt any config change however to make sure its not extremely slow) +- Restart certain services every hour since they aren't very stable ## Adding new services -Adding new services is a bit janky, for I had to set it up with normal commands instead of the preferred community.docker collection (it doesn't support v2 which we use on most of our compose files) - Firstly, add the thing to `docker_services` array/var in `/privfrontends/playbook.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence. -Then, create the `/compose/SERVICE_NAME` directory and add the compose file to the same. You can use the `{{inventory_hostname}}` variables where required. +Then, create the `/compose/SERVICE_NAME` directory and add the compose file (compose.yml.j2) to the same. You can use the `{{inventory_hostname}}` variables where required. If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P @@ -21,14 +84,20 @@ Past this, Caddy needs to be configured. The common GeoDNS configuration can be done following this format ``` -SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt { +SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt SERVICE_SHORT_NAME.psf.lt SERVICE_SHORT_NAME.{{inventory_hostname}}.psf.lt { reverse_proxy :PORT import def - import torloc SERVICE_NAME # Setup tor first following the wiki + import torloc SERVICE_NAME } ``` -Tor/I2P can be setup following the instructions in https://wiki.projectsegfau.lt/Internal:Setting_up_a_GeoDNS_service, with the only change that tor/i2p are now merged and they are in `/templates/01-extras.caddy`. +To setup TOR, you have to add the following to privfrontends/templates/eu/darknet.Caddy +``` +http://SERVICE_NAME.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor SERVICE_NAME + reverse_proxy :PORT +} +``` Past this, you can run the deployment as outlined in the beginning.