Skip to content

Commit

Permalink
Add an Ansible playbook for creating a droplet
Browse files Browse the repository at this point in the history
  • Loading branch information
@QuLogic
QuLogic committed Dec 19, 2023
1 parent 06f901b commit 9e22fde
Show file tree
Hide file tree
Showing 3 changed files with 148 additions and 48 deletions.
70 changes: 22 additions & 48 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ prerequisites:

* Create a DigitalOcean API token, and pass it to the inventory generator by
setting the `DO_API_TOKEN` environment variable.
* If you are creating a new droplet, and want to configure DNS as well, then
create a CloudFlare API token, and pass it to the Ansible playbook by setting
the `CLOUDFLARE_TOKEN` environment variable.
* Set the vault decryption password of the Ansible vaulted file with our
secrets. This may be done by setting the `ANSIBLE_VAULT_PASSWORD_FILE`
environment variable to point to a file containing the password.
Expand Down Expand Up @@ -99,9 +102,11 @@ Naming
We follow a simplified version of the naming scheme on [this blog
post](https://mnx.io/blog/a-proper-server-naming-scheme/):

* Servers are named `<prefix>.matplotlib.org` in A records.
* Servers get a functional CNAME alias (e.g., `web01.matplotlib.org`).
* matplotlib.org is a CNAME to the functional CNAME of a server.
* Servers are named `<prefix>.matplotlib.org` in A records, pointing to the
IPv4 address of the droplet.
* Servers get a functional CNAME alias (e.g., `web01.matplotlib.org`) pointing
to the hostname `<prefix>.matplotlib.org`.
* matplotlib.org is a CNAME alias of the functional CNAME of a server.

We use [planets in our Solar System](https://namingschemes.com/Solar_System)
for the name prefix. When creating a new server, pick the next one in the list.
Expand All @@ -113,50 +118,27 @@ The summary of the initial setup is:

1. Create the droplet with monitoring and relevant SSH keys.
2. Assign new droplet to the matplotlib.org project and the Web firewall.
3. Grab the SSH host fingerprints.
4. Reboot.
3. Add DNS entries pointing to the server on CloudFlare.
4. Grab the SSH host fingerprints.
5. Reboot.

We currently use a simple $10 droplet from DigitalOcean. You can create one
from the control panel, or using the `doctl` utility. Be sure to enable
monitoring, and add the `website` tag and relevant SSH keys to the droplet. An
example of using `doctl` is the following:
We currently use a simple $12 droplet from DigitalOcean. You can create one
from the control panel, or using the `create.yml` Ansible playbook:

```
doctl compute droplet create \
--image fedora-35-x64 \
--region tor1 \
--size s-1vcpu-2gb \
--ssh-keys <key-id>,<key-id> \
--tag-name website \
--enable-monitoring \
venus.matplotlib.org
ansible-playbook create.yml
```

Note, you will have to use `doctl compute ssh-key list` to get the IDs of the
relevant SSH keys saved on DigitalOcean, and substitute them above. Save the ID
of the new droplet from the output, e.g., in:
This playbook will prompt you for 3 items:

```
ID Name Public IPv4 Private IPv4 Public IPv6 Memory VCPUs Disk Region Image VPC UUID Status Tags Features Volumes
294098687 mpl.org 2048 1 50 tor1 Fedora 35 x64 new website monitoring,droplet_agent
```

the droplet ID is 294098687.
1. The host name of the droplet, which should follow the naming convention
above.
2. The functional CNAME alias of the droplet.
3. The names of SSH keys to add to the droplet.


You should also assign the new droplet to the `matplotlib.org` project and the
`Web` firewall:

```
doctl projects list
# Get ID of the matplotlib.org project from the output.
doctl projects resources assign <project-id> --resource=do:droplet:<droplet-id>
doctl compute firewall list
# Get ID of the Web firewall from the output.
doctl compute firewall add-droplets <firewall-id> --droplet-ids <droplet-id>
```
Then it will create the server, as well as add DNS records on CloudFlare. Note,
you must set `DO_API_TOKEN` and `CLOUDFLARE_TOKEN` in the environment to access
these services.

Then, to ensure you are connecting to the expected server, you should grab the
SSH host keys via the DigitalOcean Droplet Console:
Expand All @@ -181,14 +163,6 @@ Finally, you should reboot the droplet. This is due to a bug in cloud-init on
DigitalOcean, which generates a new machine ID after startup, causing system
logs to be seem invisible.

DNS setup
---------

1. Add an A record for `<prefix>.matplotlib.org` to the IPv4 address of the new
droplet.
2. Add a CNAME record for `webNN.matplotlib.org` pointing to the given
`<prefix.matplotlib.org>`.

Running Ansible
---------------

Expand Down
1 change: 1 addition & 0 deletions collections/requirements.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,5 @@
collections:
- name: ansible.posix
- name: community.general
version: ">=2.0.0"
- name: community.digitalocean
125 changes: 125 additions & 0 deletions create.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
---
- hosts: localhost
tasks:
- name: Gather information about DigitalOcean droplets
community.digitalocean.digital_ocean_droplet_info:
register: do_droplets
- name: Gather information about DigitalOcean SSH keys
community.digitalocean.digital_ocean_sshkey_info:
register: do_ssh_keys

- name: Print info on existing droplets
ansible.builtin.debug:
msg: >-
{{ item.name }}:
{{ item.networks.v4 | map(attribute='ip_address') | join(',') }}
loop: "{{ do_droplets.data }}"
loop_control:
label: "{{ item.id }}"

- name: "Enter name for new droplet (subdomain only)"
ansible.builtin.pause:
register: input_name

- name: "Enter functional name for new droplet (webNN)"
ansible.builtin.pause:
register: input_functional

- name: Print available SSH public keys
ansible.builtin.debug:
msg: "{{ item.name}} {{ item.fingerprint }}"
loop: "{{ do_ssh_keys.data }}"
loop_control:
label: "{{ item.id }}"

- name: "Enter SSH key names for new droplet (space separated)"
ansible.builtin.pause:
register: input_ssh_keys

- name: Set droplet facts
ansible.builtin.set_fact:
host: "{{ input_name.user_input | trim }}"
functional: "{{ input_functional.user_input | trim }}"
ssh_keys: >-
{{
do_ssh_keys.data |
selectattr('name', 'in',
input_ssh_keys.user_input | split | map('trim')) |
map(attribute='fingerprint')
}}
- name: Verify droplet configuration
ansible.builtin.assert:
that:
- host in valid_planets
# Must not be an existing name.
- >-
do_droplets.data |
selectattr('name', 'equalto', '{{ host }}.matplotlib.org') |
count == 0
# TODO: Also check that functional name doesn't already exist.
- functional is regex('^web[0-9][0-9]$')
# At least 1 key, and same number as requested.
- ssh_keys | length >= 1
- ssh_keys | length == input_ssh_keys.user_input | split | length

- name: Print configuration
ansible.builtin.debug:
msg: "Creating droplet '{{ host }}' with SSH keys {{ ssh_keys }}"

- name: Please verify the above configuration
ansible.builtin.pause:

- name: Create droplet on DigitalOcean
community.digitalocean.digital_ocean_droplet:
state: present
name: "{{ host }}.matplotlib.org"
firewall:
- Web
image: fedora-39-x64
monitoring: true
project: matplotlib.org
region: tor1
size: s-1vcpu-2gb
ssh_keys: "{{ ssh_keys }}"
tags:
- website
unique_name: true
register: new_droplet

- name: Setup DNS for droplet on CloudFlare
community.general.cloudflare_dns:
state: present
proxied: true
record: "{{ host }}"
type: A
value: >-
{{
new_droplet.data.droplet.networks.v4 |
selectattr('type', 'equalto', 'public') |
map(attribute='ip_address') |
first
}}
zone: matplotlib.org

- name: Setup functional DNS for droplet on CloudFlare
community.general.cloudflare_dns:
state: present
proxied: true
record: "{{ functional }}"
type: CNAME
value: "{{ host }}.matplotlib.org"
zone: matplotlib.org

vars:
# We currently name servers based on planets in the Solar System.
valid_planets:
- mercury
- venus
- earth
- mars
- jupiter
- saturn
- uranus
- neptune
- pluto

0 comments on commit 9e22fde

Please sign in to comment.