diff --git a/devops/ansible/env/example/inventory.yml b/devops/ansible/env/example/inventory.yml new file mode 100644 index 0000000..d9e648e --- /dev/null +++ b/devops/ansible/env/example/inventory.yml @@ -0,0 +1,145 @@ +#== +# This is an example inventory file to setup an instance of MyJekyllBlog. +# +# SENSITIVE variables should be stored in the vault.yml file and then encrypted +# with ansible-vault. +# +# ansible-vault encrypt --vault-password-file .vault_password env/example/vault.yml +# +# To edit these values in the future, you can edit the file with the following command: +# +# ansible-vault edit --vault-password-file .vault_password env/example/vault.yml +# +# To run the playbooks, use the following: +# ansible-playbook -i env/example/inventory.yml --vault-password-file .vault_password -e @env/example/vault.yml site.yml +# +#== + +all: + vars: + # This is the git repository that contains MyJekyllBlog itself. It will be checked out + # during the installation process on the various machines that need it. + repo: https://git.modfoss.com/symkat/MyJekyllBlog.git + + + # These are hostnames of specific services. + # + # root should be set to the top level domain for everything, it will be used to configure + # ssh and git for the manager user account. + # + # panel, store, and certbot should all be set to the hostnames for their services. There should + # never be more than one of each server type. + domain_name: + root: example.com + panel: panel.example.com + store: store.example.com + certbot: certbot.example.com + + # These are database configurations. + # + # For the store server, the database name, user, and pass will be used to create + # the psql database and user account. + # + # For any server that includes mjb-role-webapp, they will be used for credentials in /etc/mjb.yml + databases: + mjb: + name: mjb + user: mjb + pass: "{{ vault_databases_mjb_pass }}" + host: 192.168.216.75 + minion: + name: minion + user: minion + pass: "{{ vault_databases_minion_pass }}" + host: 192.168.216.75 + gitea: + name: gitea + user: gitea + pass: "{{ vault_databases_gitea_pass }}" + host: 127.0.0.1 + + # SMTP Credentials + # + # These credentials will be used by Gitea for its SMTP configuration, + # and by the panel for transactional email with MJB::Web::Plugin::Email. + smtp: + host: smtp.mail-provider.com + from: mailbot@example.com + user: apikey + pass: "{{ vault_smtp_pass }}" + + panel_config: + # This repo is the initial repository cloned when somebody creates a new blog. + jekyll_init_repo: git@store.example.com:manager/jekyll-default.git + + # This should be the link to an org on gitea on the store server, the repository will + # be completed with the domain name, like :mjb/domain.com.git + store_repo_base: git@store.example.com:mjb/ + + # These secrets are used for the session encryption + secrets: "{{ vault_panel_config_secrets }}" + +# Configuration specific to the panel server. +panel: + hosts: + panel.example.com: + redirect_www: false + +# Configuration specific to the build servers. +buildservers: + hosts: + build.example.com: + +# Configuration specific to the webservers. +webservers: + hosts: + web-west.example.com: + web-east.example.com: + +# Configuration specific to the webservers. +certbot: + hosts: + certbot.example.com: + # To use certbot for wildcard ssl certs, you must use a DNS challenge. These are + # the credentials for the linode dns challenge. + linode_dns_credentials: "{{ vault_linode_dns_credentials }}" + +# Configuration specific to the store server. +store: + hosts: + store.example.com: + # This section configures the postgresql database that will run on the store server. + # + # The bind_address accepts an IP address for psql to bind to. The PSQL configuration will + # bind to this IP address, and 127.0.0.1. + # + # Each IP address in allow_addresses will be added to the PSQL HBA file. This should contain + # all of the IP addresses of the panel, build, store and certbot servers so each may use the + # databases. + database: + bind_address: 192.168.216.75 + allow_addresses: + - 192.168.213.90 # panel.example.com + - 192.168.188.226 # build.example.com + - 192.168.216.75 # store.example.com + - 192.168.163.105 # certbot.example.com + + # This section configures Gitea on the store server. + gitea: + # The user, email and pass will be used to create an initial user on the Gitea + # instance installed on the store server. + user: manager + email: manager@example.com + pass: "{{ vault_gitea_pass }}" + + # This is a token that Gitea needs to secure the installation. + # You can generate this secret by running, from the ansible directory: + # + # ./roles/mjb-profile-store/files/gitea-1.17.1-linux-amd64 generate secret INTERNAL_TOKEN + internal_token: "{{ vault_internal_token }}" + + # This is a token that Gitea needs to secure the installation. + # You can generate this secret by running, from the ansible directory: + # + # ./roles/mjb-profile-store/files/gitea-1.17.1-linux-amd64 generate secret JWT_SECRET + jwt_token: "{{ vault_jwt_token }}" diff --git a/devops/ansible/env/example/vault.yml b/devops/ansible/env/example/vault.yml new file mode 100644 index 0000000..e1d0e95 --- /dev/null +++ b/devops/ansible/env/example/vault.yml @@ -0,0 +1,12 @@ +vault_databases_mjb_pass: 'some password' +vault_databases_minion_pass: 'some password' +vault_databases_gitea_pass: 'some password' +vault_linode_dns_credentials: 'some password' + - 'dns_linode_key = api-key-from-linode, for wildcard ssl' + - 'dns_linode_version = 4' +vault_internal_token: 'see docs in inventory.yml for how to generate this' +vault_jwt_token: 'see docs in inventory.yml for how to generate this' +vault_panel_config_secrets: + - 'some really long string' +vault_smtp_pass: 'your smtp provider password' +vault_gitea_pass: 'the password to set for the managers gitea account'