These files describe and define how all servers and service are run on queer.haus. This repository is used to handle changes in configuration and to set up and start new servers.
https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html
For linux we also need jq
macos$ brew install ansible
linux$ sudo apt install ansible jqhttps://bitwarden.com/help/article/cli/#download-and-install
macos$ brew install bitwarden-cli
linux$ sudo snap install bwRunning these commands will ask for BECOME password:, then enter your personal queerhaus linux user sudo password.
Set up ansible on your machine:
make setupTo run all configuration updates in PRODUCTION:
make productionMany secret values in this repo like tokens, passwords and other sensitive data is encrypted using Ansible Vault. An encrypted value in the YAML file looks like this.
smtp_user: !vault |
$ANSIBLE_VAULT;1.1;AES256
39653634343538343236373065376364326635323966363035616532316161386136626566366262Many encrypted values are also stored in a single file group_vars/all/vault. These are then referenced in group_vars/all/vars as {{ vault_variable_name }}.
To decrypt these values you need the master password that was used to encrypt them. We use the open source password manager BitWarden to store this vault password. Included in this repo is a small script that will automatically ask you to login to and unlock your bitwarden account to retrieve this password.
Once BitWarden is unlocked and the password retrieved, all encrypted values will automatically be decrypted as you run Ansible commands.
To edit an encrypted file in place you can use this command:
ansible-vault edit group_vars/all/vault
To be able to run any of these commands you need to have access to the servers. We do this with a personal user that has your SSH public key. All linux users that exist on our servers are defined in group_vars/all/vars.
First you need an SSH key. If you already have one you can use that. Check if you have a key:
cat ~/.ssh/id_rsa.pubIf you do not have a key, you can generate a new modern key using the ed25519 method like this. Make sure that you enter a passphrase for your key.
ssh-keygen -t ed25519Then you need to take the generated public key and put it in the group_vars/all/vars file.
cat ~/.ssh/id_ed25519.pubYour linux user that will be created on our servers also needs a password. This will be used for "sudo" operations. You can generate one that is directly encrypted like this.
ansible-vault encrypt_string $(mkpasswd --method=sha-512) --name sudo_passwordWe are using Github actions to build our docker images. These images are then stored in Github Packages. For the server to access packages we need to authenticate. This is done via a "Personal Access Token".
Go to this link and generate a new token: https://github.com/settings/tokens/new
Give it a name so you know what it is used for, and select the scope "read:packages".
Then run this token through the Ansible Vault crypto like this:
ansible-vault encrypt_string "username:token" --name github_personal_access_tokenAdd the SSH public key and the encrypted password that you've created to the group_vars/all/vars file. A full entry looks something like this.
queer_users:
- name: myuser
ssh_public_keys:
- "ssh-ed25519 AAAAC3Nz...LMVyT"
sudo_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
3135643764653863623662633133396131313665303036360a386264623139336238386337336462
github_personal_access_token: !vault |
$ANSIBLE_VAULT;1.1;AES256
6639306334336538353133626663643538643266616132630a323632623036343132356630313530