Add preliminary ansible playbook

QuLogic · QuLogic · commit dd4ae1b12e2d · 2022-03-11T18:27:56.000-05:00
All this does right now is install the right packages.
diff --git a/README.md b/README.md
@@ -40,3 +40,37 @@ overrides in environment variables:
   interfaces)
 * The directory containing the git repositories with `SITE_DIR` (defaults to
   `sites` in the current directory)
+
+Ansible configuration
+=====================
+
+When running on DigitalOcean hosting, an Ansible playbook is used to configure
+the server with consistent settings.
+
+Setup
+-----
+
+Before you can run our ansible playbooks, you need to meet the following
+prerequisites:
+
+* Create a DigitalOcean API token, and pass it to the inventory generator by
+  setting the `DO_API_TOKEN` environment variable.
+* Set the vault decryption password of the ansible vaulted file with our
+  secrets. This may be done by setting the `VAULT_PASSWORD` environment
+  variable.
+* Download all the collections the playbooks depend on with the following
+  command:
+  ```
+  ansible-galaxy collection install \
+    --requirements-file collections/requirements.yml
+  ```
+
+You may wish to use [direnv](https://direnv.net/) to set environment variables.
+
+Running
+-------
+
+There is currently only one playbook:
+
+* `matplotlib.org.yml`, for the main matplotlib.org hosting. This playbook
+  operates on droplets with the `website` tag in DigitalOcean.
diff --git a/ansible.cfg b/ansible.cfg
@@ -0,0 +1,34 @@
+[defaults]
+
+inventory = {{CWD}}/inventories
+
+interpreter_python = auto
+
+# plays will gather facts by default, which contain information about
+# the remote system.
+#
+# smart - gather by default, but don't regather if already gathered
+# implicit - gather by default, turn off with gather_facts: False
+# explicit - do not gather by default, must say gather_facts: True
+gathering = smart
+
+# if set to a persistent type (not 'memory', for example 'redis') fact values
+# from previous runs in Ansible will be stored.  This may be useful when
+# wanting to use, for example, IP information from one group of servers
+# without having to talk to them in the same playbook run to get their
+# current IP information.
+fact_caching = jsonfile
+# This option tells Ansible where to cache facts. The value is plugin dependent.
+# For the jsonfile plugin, it should be a path to a local directory.
+# For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
+fact_caching_connection = /tmp
+
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+#
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+pipelining = True
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.general
+  - name: community.digitalocean
diff --git a/inventories/inventory.digitalocean.yml b/inventories/inventory.digitalocean.yml
@@ -0,0 +1,24 @@
+---
+plugin: community.digitalocean.digitalocean
+api_token: "{{ lookup('env', 'DO_API_TOKEN') }}"
+attributes:
+  - id
+  - name
+  - memory
+  - vcpus
+  - disk
+  - size
+  - image
+  - networks
+  - volume_ids
+  - tags
+  - region
+keyed_groups:
+  - key: do_tags | lower
+    prefix: ''
+    separator: ''
+compose:
+  ansible_host: do_networks.v4 | selectattr('type','eq','public')
+    | map(attribute='ip_address') | first
+  class: do_size.description | lower
+  distro: do_image.distribution | lower
diff --git a/matplotlib.org.yml b/matplotlib.org.yml
@@ -0,0 +1,36 @@
+---
+- hosts: website
+  tasks:
+    - name: Enable copr
+      ansible.builtin.dnf:
+        name: "dnf-command(copr)"
+        state: present
+    - name: Enable caddy copr
+      community.general.copr:
+        name: "@caddy/caddy"
+        state: enabled
+
+    - name: Install server maintenance
+      ansible.builtin.dnf:
+        name: "fail2ban"
+        state: present
+
+    - name: Install web server requirements
+      ansible.builtin.dnf:
+        name:
+          - caddy
+          - git
+          - mailcap
+          - python3-aiohttp
+        state: present
+
+    - name: Install server monitoring tools
+      ansible.builtin.dnf:
+        name:
+          - golang-github-prometheus
+          - golang-github-prometheus-alertmanager
+          - golang-github-prometheus-node-exporter
+          - grafana
+          # Remove this when Loki is packaged.
+          - podman
+        state: present
