i fixed the readme when i was bored idk

This commit is contained in:
Arya 2023-06-10 23:28:08 +05:30
parent a86bcd1596
commit c29bcedda7
Signed by: arya
GPG Key ID: 842D12BDA50DF120

View File

@ -1,19 +1,82 @@
# Testing ansible # Project Segfault Ansible (Production)
These are the ansible configs used in production on Project Segfault servers.
We have 2 different playbooks, one for setting up the basic things every one of our servers needs, and one for managing docker and caddy for our geographic nodes (mostly Privacy Frontends)
The configs/compose files for the Privacy Frontends are included here as well.
All files under this repo are licensed under the GPLv3, unless specified otherwise.
## Running Playbook(s)
Firstly, you need to install dependencies, which can be done with the following:
``` ```
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
# All servers ```
Then, you can run the all playbook as such
```
ansible-playbook all/playbook.yaml # Initialize ansible-playbook all/playbook.yaml # Initialize
# Privacy Frontends ```
For Privacy Frontends playbook, you need access to the ansible vault password, which you'll have if you are a segfault sysadmin :)
```
ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass privfrontends/playbook.yaml ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass privfrontends/playbook.yaml
``` ```
To add secrets: `ansible-vault edit secrets.enc` Additionally, you can make use of the following ansible tags:
- caddy-non-update \- update Caddy configs but don't update caddy itself
- docker \- run docker compose stuff
- cron \- setup cronjobs for hourly restarts
Tags can be used with the following syntax: `--tag tag1,tag2,tag3`
## Ansible Vaults
Many parts of our privacy frontends configurations are meant to be private, such as HMAC keys and database passwords.
Hence, these are stored as variables using ansible-vault.
There are two different ansible-vaults in use in our setup, encrypted `host_vars` files per-host, and a global `secrets.enc`.
### secrets.enc
`/secrets.enc` contains private variables that are same for all our servers.
Currently, it contains the following: (as of 9/6/23)
- rfc2136_key \- RFC2136 key for DNS01
- watchtower_mtrx_pass \- Watchtower Matrix password
### host_vars
host_vars are dynamic variables that can be different for each host.
We have two encrypted host_vars files in our setup, one for the services, and one for healthchecks on cronjobs.
#### healthchecks.yaml (as of 9/6/23)
- invidious_hc_uuid - UUID for invidious hourly restart
- teddit_hc_uuid - UUID for teddit hourly restart
#### privfrontends_secrets.yaml (as of 9/6/23)
- scribe_secret_key_base
- nitter_hmac_key
- librarian_auth_token
- librarian_hmac_key
- searxng_secret_key
- anonymousoverflow_signing_secret
## Playbooks
### all
The `all` playbook contains the basics needed for every server on our infrastructure.
As of 9/6/23, it does the following:
- Installs vim, curl, wget, sudo, netstat, nmap, pip, chrony (ntp), vnstat (bw monitoring)
- Enables systemd services for VNStat and Chrony
- Adds bash configuration
- Creates users for the sysadmins and adds their ssh keys to it
- Allows sudo without password
- Adds an extra authorized_key on Soleil Levant servers for sshpiper
- Adds custom sshd configuration
### privfrontends
Our Geographic Privacy Frontends nodes are managed with this playbook.
As of 9/6/23, it does the following:
- Uses the caddy-ansible role to setup a caddy instance with the rfc2136 plugin added
- Copies per-server extras files
- Sets up the privacy frontends from a pre-defined list (it does ignore if there isnt any config change however to make sure its not extremely slow)
- Restart certain services every hour since they aren't very stable
## Adding new services ## Adding new services
Adding new services is a bit janky, for I had to set it up with normal commands instead of the preferred community.docker collection (it doesn't support v2 which we use on most of our compose files)
Firstly, add the thing to `docker_services` array/var in `/privfrontends/playbook.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence. Firstly, add the thing to `docker_services` array/var in `/privfrontends/playbook.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence.
Then, create the `/compose/SERVICE_NAME` directory and add the compose file to the same. You can use the `{{inventory_hostname}}` variables where required. Then, create the `/compose/SERVICE_NAME` directory and add the compose file (compose.yml.j2) to the same. You can use the `{{inventory_hostname}}` variables where required.
If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P
@ -21,14 +84,20 @@ Past this, Caddy needs to be configured.
The common GeoDNS configuration can be done following this format The common GeoDNS configuration can be done following this format
``` ```
SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt { SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt SERVICE_SHORT_NAME.psf.lt SERVICE_SHORT_NAME.{{inventory_hostname}}.psf.lt {
reverse_proxy :PORT reverse_proxy :PORT
import def import def
import torloc SERVICE_NAME # Setup tor first following the wiki import torloc SERVICE_NAME
} }
``` ```
Tor/I2P can be setup following the instructions in https://wiki.projectsegfau.lt/Internal:Setting_up_a_GeoDNS_service, with the only change that tor/i2p are now merged and they are in `/templates/01-extras.caddy`. To setup TOR, you have to add the following to privfrontends/templates/eu/darknet.Caddy
```
http://SERVICE_NAME.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor SERVICE_NAME
reverse_proxy :PORT
}
```
Past this, you can run the deployment as outlined in the beginning. Past this, you can run the deployment as outlined in the beginning.