MVP of CKAN Ansible role

[fititnt]

Refs

• CKAN quick test to consider add or not to the stack #8
• Find already existing or create new CKAN Docker images #9
• https://docs.ckan.org/en/2.8/maintaining/installing/install-from-package.html
• https://docs.ckan.org/en/2.8/maintaining/installing/install-from-source.html
• Things that are likely to go wrong (since using Ubuntu 18, and not ubuntu 16)
  • https://github.com/ckan/ckan/issues/4311
  • https://github.com/ckan/ckan/issues/4916
  • https://github.com/ckan/ckan/issues/4762
  • https://stackoverflow.com/questions/55939999/how-to-get-solr-and-ckan-to-run-on-ubuntu-18-04-after-recent-solr-jetty-updates/56007895#56007895

[fititnt]

• GitHub search: https://github.com/search?q=ansible+ckan
• This is how the python-ckan_2.8-bionic_amd64.deb was created https://github.com/ckan/ckan-packaging/blob/master/package.yml
• Ansible Playbooks/Roles (some are outdated, some are very specific to some cloud enviroments)
  • https://github.com/oguya/ansible-ckan
  • https://github.com/TkTech/ckan.playbook
  • https://github.com/mxabierto/dgm-ansible
  • https://github.com/UtrechtUniversity/epos-msl
  • https://github.com/vrk-kpa/api-catalog/tree/master/ansible
  • https://github.com/antarctica/ansible-ckan
  • https://github.com/CSCfi/ansible-role-ckan
  • https://github.com/MichaelHarmsTIB/ckanOverAnsible
  • https://github.com/kohakurei/ansible-role-ckan
  • https://github.com/drmalex07/ckan-recipe
  • https://github.com/GSA/datagov-deploy/tree/develop/ansible
  • https://github.com/qld-gov-au/ckan-qld-infrastructure
  • https://github.com/manimike00/ckan

[fititnt]

Interesting. The Ubuntu packages at http://packaging.ckan.org/ actually leave a Ubuntu host near ready to use (if we don't take in account the databases). It by default just don't prepare to serve HTTPS.

BUT in our case, since we're using traefik on frontend, at least the NGinx should be removed/disabled. And the default apache2 port is the same as the traefik dashboard (so it may be better to change the traefik).

An, and definitely will need enable firewall. So many open ports.

root@hxl-eticadev:~/ckan-stack# netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      400/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      440/sshd            
tcp        0      0 0.0.0.0:8983            0.0.0.0:*               LISTEN      1885/java           
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      27225/postgres      
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      7563/redis-server 1 
tcp        0      0 127.0.0.1:7983          0.0.0.0:*               LISTEN      1885/java           
tcp6       0      0 :::8080                 :::*                    LISTEN      9923/traefik        
tcp6       0      0 :::80                   :::*                    LISTEN      9923/traefik        
tcp6       0      0 :::22                   :::*                    LISTEN      440/sshd            
tcp6       0      0 :::443                  :::*                    LISTEN      9923/traefik        
tcp6       0      0 :::8000                 :::*                    LISTEN      9320/docker-proxy   
tcp6       0      0 :::9000                 :::*                    LISTEN      9282/docker-proxy   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           400/systemd-resolve

root@hxl-eticadev:~/ckan-stack# systemctl list-unit-files | grep enabled
acpid.path                             enabled        
accounts-daemon.service                enabled        
apache2.service                        enabled        
apparmor.service                       enabled        
autovt@.service                        enabled        
console-setup.service                  enabled        
containerd.service                     enabled        
cron.service                           enabled        
dbus-org.freedesktop.resolve1.service  enabled        
docker.service                         enabled        
getty@.service                         enabled        
irqbalance.service                     enabled        
keyboard-setup.service                 enabled        
networkd-dispatcher.service            enabled        
nginx.service                          enabled        
ondemand.service                       enabled        
postgresql.service                     enabled        
redis_6379.service                     enabled        
rsync.service                          enabled        
rsyslog.service                        enabled        
setvtrgb.service                       enabled        
ssh.service                            enabled        
sshd.service                           enabled        
syslog.service                         enabled        
sysstat.service                        enabled        
systemd-networkd-wait-online.service   enabled-runtime
systemd-networkd.service               enabled-runtime
systemd-resolved.service               enabled        
systemd-timesyncd.service              enabled        
ufw.service                            enabled        
ureadahead.service                     enabled        
acpid.socket                           enabled        
docker.socket                          enabled        
uuidd.socket                           enabled        
remote-fs.target                       enabled        
apt-daily-upgrade.timer                enabled        
apt-daily.timer                        enabled        
fstrim.timer                           enabled        
motd-news.timer                        enabled