NYCPlanning / labs-infrastructure

Server infrastructure setup code
Other
2 stars 5 forks source link
labs

NYC Planning Labs Infrastructure CircleCI

This repository contains code and documentation for configuring infrastructure managed by the NYC Planning Labs team. The parts that get modified most frequently:

Links

Setup

  1. Install dependencies.

    • Python 3

      • NOTE: You may need to install certificates to avoid an SSL error:

        sudo /Applications/Python\ 3.6/Install\ Certificates.command
    • Pipenv

  2. Install Ansible and its dependencies.

    pipenv install
    pipenv run ansible-galaxy install -p roles/external -r requirements.yml

Usage

To run against a live server:

  1. Do the one-time credential setup.

    1. Create a DigitalOcean token with read access.
    2. Save your token to a digital_ocean.ini configuration file.

      [digital_ocean]
      api_token=TOKEN
  2. Enable the virtualenv.

    pipenv shell
  3. Set the Digital Ocean environment variable. _This is required because Digital Ocean modules can't read from the digital_ocean.ini file._

    export $(./digital_ocean.py --env)
  4. Run one of the playbooks. You will use root as the USER on the first run and your GitHub username on subsequent runs, as root access gets removed.

Any of these can be done as a "dry run" by adding --check to the end of the command.

Examples of running playbooks for different scenarios:

Adding users

  1. Have them add their SSH key to their GitHub account.
  2. Add GitHub username to the users variable in the variables file.
  3. Run the base playbook. See examples above.

Removing users

  1. Move username from the users to former_users variable in the variables file.
  2. Run the base playbook. See examples above.

Server checklist

Every server/Droplet should:

  1. [ ] Use an Ubuntu LTS as the operating system, unless there's a good reason to use something else
    • Why Consistency
  2. [ ] Be tagged with labs
  3. [ ] Use a floating IP
    • Why So that the server can be replaced without modifying DNS, if need be
    • ...especially if a *.planning.nyc.gov domain is going to be pointed at it
  4. [ ] Have a Cloud Firewall enabled
  5. [ ] Have backups enabled. The script won't run correctly if backups aren't enabled, because it will fail when it tries to backup and the rest of the script won't run.
  6. [ ] Have an Ansible playbook with the common role
  7. [ ] Have the services/containers/etc. start properly after machine reboot
    • Why Services/machines need to be rebooted occassionally for things like upgrades, and this will make the recovery afterwards as smooth as possible
    • This needs to be tested manually

Be careful not to check secrets into this repository.