Skip to content
Snippets Groups Projects
Select Git revision
  • 609b21ccfeab35e132f7e008c14db14d5c0c78fe
  • master default protected
  • leonard/prometheus-exporters
  • multiple-primary
  • multiple-primary-orig-are
  • nrb/ssh-key-reorg
  • nrb/inventory-restructure
  • nrb/backbone-bgp
  • revproxy-port8080-support
  • nrb/bb-babel
10 results

ansible

  • Clone with SSH
  • Clone with HTTPS
  • Freifunk Stuttgart Ansible

    Setup

    Install ansible

    Install ansible from your distribution or use a virtualenv and install from pip:

    1. Create virtualenv: python3 -m venv my-venv-directory
    2. Enter virtualenv: source my-venv-directory/bin/activate
    3. Install ansible: pip install ansible

    Then, install requirements from Ansible Galaxy:

    LC_ALL=C.UTF-8 ansible-galaxy install -r requirements.yml

    Using nix

    Use nix-shell or nix develop to use ansible.

    Update to newer nixpkgs version (check functionality and add a commit afterwards):

    nix flake update

    Using direnv

    Run mkdir .direnv && direnv allow . to enable direnv integration with nix flakes.

    SSH Aliases

    Some hosts are only reachable through a jumphost, e.g. Containers or VMs on a proxmox. To access them, this playbook assumes you have configured an SSH alias in your ssh_config (~/.ssh/config)

    host *.vm.freifunk-stuttgart.de
            proxyjump nrb@jumphost.freifunk-stuttgart.de
            user root

    To get access to all machines, add to your .ssh/config the contents of ssh_config instead of the above mentioned lines, e.g. by including it, adjust the path:

    Host *
    Include ~/git/freifunk/infrastruktur-ansible/ssh-config

    Vault

    The ansible vault password can be stored in the system keyring using the vault-keyring-client.py script.

    To set the vault password initally, run:

    ./vault-keyring-client.py --vault-id ansible-ffs --set

    The Password can be found in Vaultwarden.

    Usage

    To deploy everything everywhere:

    LC_ALL=C.UTF-8 ansible-playbook -v -i inventory/ all.yml

    To deploy everything on a single host

    LC_ALL=C.UTF-8 ansible-playbook -v -i inventory/test --limit example.com all.yml

    where example.com denotes the hostname as defined in the inventory directory.

    Roles

    Users

    Deploys user accounts on systems and deploys public keys.

    The user database

    The idea is to maintain a global user database in group_vars/all. For each user, we store the UID and a list of public keys there. Example entry for a user named johndoe with UID 1234 and a public key:

    user_database:
      johndoe:
        uid: 1234
        pubkeys:
          - "ssh-rsa ... john@doe"

    Creating user accounts

    Note that this doesn't create the user anywhere.

    You can use a host var or a group var to actually create users.

    Creating accounts on hosts

    To create a user on a specific host, define the variable users in host_vars

    For example adding this to host_vars/example.com/users:

    users:
      - johndoe

    will deploy the johndoe user as defined in the user_database above on example.com.

    Creating accounts on groups

    This can be a bit annoying if you just want to grant a group of people access to a bunch of hosts in a group. To grant a user access to a group of hosts, define the variable users_group in group_vars.

    For example adding this to group_vars/dc01:

    users_group:
      - johndoe

    will deploy the johndoe user as defined in the user_database above on all hosts in the group dc01.

    Deploying pubkeys for the root user

    Pubkeys defined in the user_database can also be deployed for the root user.

    Deploying pubkeys for the root user on hosts

    This is achieved by adding a user's name to the users_root list. For example adding this to host_vars/example.com/users:

    users_root:
      - johndoe

    will deploy all pubkeys defined in the user_database for johndoe in the root account on host `example.com.

    Deploying pubkeys for the root user on groups

    This is achieved by adding a user's name to the users_root_group list. For example adding this to group_vars/dc01:

    users_root_group:
      - johndoe

    will deploy all pubkeys defined in the user_database for johndoe in the root account on all hosts in group dc01.

    DHCP Server

    We support up to 4 DHCP servers in our network. The config is generated using (FfsConfigGenerator)[https://github.com/freifunk-stuttgart/FfsConfigGenerator], which contains the IP ranges of all our segments.

    The range served by a DHCP sever (the pool in kea speech) is determined by the instance number of the DHCP server. Set it in the dhcp_server_instance variable. Valid values are 1-4.