Thanks for that @zeh, I did look at Debops when I started learning Ansible and was put off by it’s extensive nature (it appeared far to complicated for what I wanted to start using Ansible for, I wanted to get stuck in and do things from scratch straight away), I would be interested in using it someday and I’m sure there is a lot I could learn from it and I expect there are parts I could copy or simply use as replacements.
I’ve been using Ansible and learning as I go on for almost 3 years and after doing things using Bash, Git and Subversion and before that CVS it’s been really good to switch to Ansible and GitLab CI and Docker to, basically, automate my own job.
We are using GitLab CI to build Docker containers in which GitLab CI can be used to run Ansible to automatically update servers following the editing of the users YAML dictionary configuration files, so you can define users as the following example shows, using the GitLab IDE to edit the file using your web browser, the configuration is saved in a git repo and then checked (I’m working on this aspect at the moment, it isn’t good having mistakes in a YAML file break a server!) and if it passes applied to the server, when you click save.
---
users:
wp:
users_name: WordPress
users_email: chris@webarch.net
users_ssh_public_keys:
- https://git.coop/chris.keys
users_quota: 2G
users_mariadb_databases:
- wp_live
- wp_dev
users_phpfpm_pm: dynamic
users_phpfpm_max_children: 4
users_phpfpm_pm_start_servers: 2
users_apache_virtual_hosts:
live/web:
users_apache_server_name: www.wp.wsh.webarchitects.org.uk
users_apache_server_aliases:
- wp.wsh.webarchitects.org.uk
users_apache_type: php
users_cms: wordpress
wordpress_dbname: wp_live
wordpress_url: https://www.wp.wsh.webarchitects.org.uk
wordpress_title: "WordPress Blog"
wordpress_admin_user: chris
wordpress_admin_email: chris@webarch.coop
users_apache_nophp_dirs:
- wp-content/uploads
users_apache_locations:
- authname: WordPress Admin
location: /wp-login.php
users_apache_htauth_users:
- name: wp
password: admin
dev/web:
users_apache_server_name: www.dev.wp.wsh.webarchitects.org.uk
users_apache_server_aliases:
- dev.wp.wsh.webarchitects.org.uk
users_apache_type: php
users_apache_robots: deny
users_cms: wordpress
wordpress_dbname: wp_dev
users_apache_nophp_dirs:
- wp-content/uploads
users_daily_scripts:
- "wp-update {{ users_basedir }}/wp/{{ users_sites_dir }}/dev/web" # Update WordPress nightly
users_apache_locations:
- authname: WordPress Development Site
location: /
users_apache_htauth_users:
- name: wp
password: admin
...
Another key thing that our server configuration does is chroot php-fpm
and sshd
to ensure that users cannot reach others users data (I need to also look at doing this for mysql
), in addition everything apart from directories for sockets and users home directories is a read-only, bind mounted Debian install with no configuration other than the entries for users in /etc/passwd
and /etc/group
.
We also have automated installation of WordPress, Matomo (giving each user an account and adding their sites and configuring the WordPress plugin) and phpMyAdmin (again giving all users web based access to manage their databases) and intend to add some others.
Documenting everything has still to be done but the nice thing about Ansible is that it is generally so readable that it documents itself.
For sharing SSH keys the easiest thing is to add them to GitHub and / or Launchpad, eg:
Then on a server you can do apt install ssh-import-id -y && ssh-import-id chriscroome
to add your keys.
However when I script the installation of keys I generally use this URL as it is nicer and under our control: