From f55633611c5720a3de00cb1ff77fc06bdbd92a07 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 05:52:20 -0500 Subject: [PATCH 1/4] Remove manual setting of firewall during droplet creation The firewall is now attached to droplet tags, and thus is automatically added to new droplets since we tag them. --- README.md | 2 +- create.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 7b4b00a..15e4d12 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ Initial setup The summary of the initial setup is: 1. Create the droplet with monitoring and relevant SSH keys. -2. Assign new droplet to the matplotlib.org project and the Web firewall. +2. Assign new droplet to the matplotlib.org project. 3. Add DNS entries pointing to the server on CloudFlare. 4. Grab the SSH host fingerprints. 5. Reboot. diff --git a/create.yml b/create.yml index ea0a501..938f687 100644 --- a/create.yml +++ b/create.yml @@ -91,8 +91,6 @@ community.digitalocean.digital_ocean_droplet: state: present name: "{{ host }}.matplotlib.org" - firewall: - - Web image: fedora-39-x64 monitoring: true project: matplotlib.org From 749216a66bc98d91d01c978d91d5602a366f170d Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 05:55:01 -0500 Subject: [PATCH 2/4] Document what permissions the tokens need --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 15e4d12..12e8129 100644 --- a/README.md +++ b/README.md @@ -37,10 +37,14 @@ Before you can run our Ansible playbooks, you need to meet the following prerequisites: * Create a DigitalOcean API token, and pass it to the inventory generator by - setting the `DO_API_TOKEN` environment variable. + setting the `DO_API_TOKEN` environment variable. The API token must have + access to the following scopes: + - Read: droplet, firewall, monitoring, project, ssh_key + - Create: droplet + - Update: droplet, monitoring, project * If you are creating a new droplet, and want to configure DNS as well, then - create a CloudFlare API token, and pass it to the Ansible playbook by setting - the `CLOUDFLARE_TOKEN` environment variable. + create a CloudFlare API token with DNS edit permissions, and pass it to the + Ansible playbook by setting the `CLOUDFLARE_TOKEN` environment variable. * Set the vault decryption password of the Ansible vaulted file with our secrets. This may be done by setting the `ANSIBLE_VAULT_PASSWORD_FILE` environment variable to point to a file containing the password. From 7f8359fb9fb232bf32fde69263b441df0b6a9aa8 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 21:38:24 -0500 Subject: [PATCH 3/4] Add more information to droplet creation Also, set tags in CloudFlare DNS. --- README.md | 9 ++++++++- collections/requirements.yml | 2 +- create.yml | 17 +++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 12e8129..8dd21fa 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,8 @@ ansible-playbook create.yml --extra-vars "host=pluto functional=web99 ssh_keys=' The playbook will create the server, as well as add DNS records on CloudFlare. Note, you must set `DO_API_TOKEN` and `CLOUDFLARE_TOKEN` in the environment to -access these services. +access these services. The droplet ID and IP address will be printed at the +end of the playbook. Then, to ensure you are connecting to the expected server, you should grab the SSH host keys via the DigitalOcean Droplet Console: @@ -173,6 +174,12 @@ Finally, you should reboot the droplet. This is due to a bug in cloud-init on DigitalOcean, which generates a new machine ID after startup, causing system logs to be seem invisible. +This can be done from the Console, or via the CLI: + +``` +doctl compute droplet-action reboot +``` + Running Ansible --------------- diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a795f3..712d59b 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,5 +2,5 @@ collections: - name: ansible.posix - name: community.general - version: ">=2.0.0" + version: ">=8.0.0" - name: community.digitalocean diff --git a/create.yml b/create.yml index 938f687..f927d60 100644 --- a/create.yml +++ b/create.yml @@ -115,6 +115,8 @@ map(attribute='ip_address') | first }} + tags: + - website zone: matplotlib.org - name: Setup functional DNS for droplet on CloudFlare @@ -124,8 +126,23 @@ record: "{{ functional }}" type: CNAME value: "{{ host }}.matplotlib.org" + tags: + - website zone: matplotlib.org + - name: Print droplet info + ansible.builtin.debug: + msg: + - "Droplet ID is {{ new_droplet.data.droplet.id }}" + - >- + First Public IPv4 is {{ + (new_droplet.data.droplet.networks.v4 | selectattr('type', 'equalto', 'public')).0.ip_address | + default('', true) }} + - >- + First Private IPv4 is {{ + (new_droplet.data.droplet.networks.v4 | selectattr('type', 'equalto', 'private')).0.ip_address | + default('', true) }} + vars: # We currently name servers based on planets in the Solar System. valid_planets: From 7f56982d4727f342a2d23aebfe30de981fcdd07c Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 22:42:12 -0500 Subject: [PATCH 4/4] Update to Fedora 41 --- README.md | 7 +++---- create.yml | 2 +- files/dnf5-automatic.conf | 2 ++ matplotlib.org.yml | 11 ++++++++--- 4 files changed, 14 insertions(+), 8 deletions(-) create mode 100644 files/dnf5-automatic.conf diff --git a/README.md b/README.md index 8dd21fa..98400bf 100644 --- a/README.md +++ b/README.md @@ -164,10 +164,9 @@ Note down the outputs to verify later, e.g., ``` # Use these for comparison when connecting yourself. -1024 SHA256:J2sbqvhI/VszBtVvPabgxyz6sRnGLrZUn0kqfv4doAM root@mercury.matplotlib.org (DSA) -256 SHA256:J0rOMayXhL1+5wbm4WQNpAvmscDjqwJjAtk1SLemRMI root@mercury.matplotlib.org (ECDSA) -256 SHA256:y8EDRGMpLWOW72x47MVKsAfSAl8JHjsOc/RGaiMTPGs root@mercury.matplotlib.org (ED25519) -3072 SHA256:AyuNO8FES5k9vobv0Pu9XpvtjVFZ1bTTNxb1lo+AuRA root@mercury.matplotlib.org (RSA) +256 SHA256:p6MiA8+IO1WcpXHDOQ4rhiVCo+MDxWB7ehfNfxvbDkU root@venus.matplotlib.org (ECDSA) +256 SHA256:RfDahJqnQFLeFN+zl9f+hmB+W05OoZK26NfNQkj6KtY root@venus.matplotlib.org (ED25519) +3072 SHA256:tYwdULlz5/XP5Ze7PCj9XpO3VIMEZkiOiFuhr9nke34 root@venus.matplotlib.org (RSA) ``` Finally, you should reboot the droplet. This is due to a bug in cloud-init on diff --git a/create.yml b/create.yml index f927d60..47a4a0a 100644 --- a/create.yml +++ b/create.yml @@ -91,7 +91,7 @@ community.digitalocean.digital_ocean_droplet: state: present name: "{{ host }}.matplotlib.org" - image: fedora-39-x64 + image: fedora-41-x64 monitoring: true project: matplotlib.org region: tor1 diff --git a/files/dnf5-automatic.conf b/files/dnf5-automatic.conf new file mode 100644 index 0000000..5d40e60 --- /dev/null +++ b/files/dnf5-automatic.conf @@ -0,0 +1,2 @@ +[commands] +apply_updates = yes diff --git a/matplotlib.org.yml b/matplotlib.org.yml index dee35ab..f9be944 100644 --- a/matplotlib.org.yml +++ b/matplotlib.org.yml @@ -45,7 +45,7 @@ - name: Install server maintenance ansible.builtin.dnf: name: - - dnf-automatic + - dnf5-plugin-automatic - fail2ban state: present @@ -63,8 +63,8 @@ name: - golang-github-prometheus - golang-github-prometheus-alertmanager - - golang-github-prometheus-node-exporter - grafana + - node-exporter # Remove this when Loki is packaged. - podman state: present @@ -77,9 +77,14 @@ # Automatic updates # ################# + - name: Configure automatic updates + ansible.builtin.copy: + src: dnf5-automatic.conf + dest: /etc/dnf/dnf5-plugins/automatic.conf + - name: Enable automatic updates ansible.builtin.systemd: - name: dnf-automatic-install.timer + name: dnf5-automatic.timer enabled: true state: started pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy