Nold360 commented 4 years ago

ToDo:

Roles

We need a role for every component of the infrastructure:

[ ] backup: I will most likely use borgbackup for this. But i havn't found a nice role, yet. might build my own.
[x] common: Packages & stuff for all servers
[x] sudo: .. configures sudo
[ ] gateway: FF-Gateway docker configuration & routing
- [ ] Including: docker-containers, routing & other services
[ ] jool: Clones module & docker git. Builds/installs module when module unavailable, same for the container. WIP
[x] docker: installs docker
[ ] ssh: configures sshd
[ ] users: adds admin users & their ssh-keys from https://github.com/FreifunkMD/ffmd-ssh-keys
[ ] monitor[ing] - I would use icinga2 for this.
- [ ] client configuration
- [ ] server configuration
[ ] network: Set IPs, Forwardings, GRE-Tunnel?, ...?
[ ] ...?

Firewall can be managed using an external "ufw"-Role.

Everybody loves docs!

How/where do we execute ansible playbooks? To prevent the application of non-upstream changes, this should be automatically done. How do you do that with ansible?
- My first guess would be to use a CI and incl. a branching concept, so feature-branches get applied to dev/test-nodes and not production. I'm used to Gitlab-CI, but to keep independence from the version control system we should use something else. I heart a lot of bad things about jenkins, still everybody seems to be using it...
I've will migrate https://github.com/penguineer/ansible into this.

What else do we need to configure/manage?

Nold360 commented 4 years ago

The AWX "Tower" is free software, too. But maybe oversized? https://github.com/ansible/awx

penguineer commented 4 years ago

There is also https://github.com/FreifunkMD/ansible/pull/1 and another ffmd ansible repository. We should sort those out, too.

Nold360 commented 4 years ago

There is also #1 and another ffmd ansible repository. We should sort those out, too.

Absolutely & I've already started integrating #1 :) //Edit: oh seems like i'm already done..

penguineer commented 4 years ago

I propose splitting up the bootstrap role into three:

Basic setup that needs to be done only once
Setting up users (which might be repeated when the user base or their keys change)
Locking the root account (which should be done from one of the user accounts to make sure setting up the users went okay before closing down the root account. Otherwise the machine is bricked.)