Clusters and projects in the lab use a variety of Ansible roles for configuration purposes. There are also supplied playbooks and a recommended cluster environment layout to keep things clean.
We've set the roles_path parameter in a sample included ansible.cfg file so playbooks can be located in a subdirectory for the sake of organization.
Note
All of the roles described here assume Debian-based Linux systems. No effort was made to generalize to other Linux platforms or accommodate BSD. Carefully examine roles before attempting to use them on anything but a Debian, Ubuntu, Mint, etc., system.
Based on the TODO of roles that currently or will exist, these are the host groups that should be used to follow the best practices for this Ansible setup.
docker- Any system which should act as a Docker host. Recommended for using thedockerrole.home- Intended for "home" or "local" systems not otherwise part of a dev/stage/prod environment. This is commonly a system used to launch playbooks, code projects, and so on.proxmox- All Proxmox systems. Recommended for using theproxmoxrole.webserver- Any server which should serve HTTP(S), PHP, WSGI, etc. Recommended for using thewebserverrole.
The list of roles will continue to expand. Any variables mentioned here are listed with defaults so the role operates normally when they are unset.
This role should be applied to all servers in all environments, including the local "home" system. It sets a standard baseline of expectations. It performs multiple actions:
- Installs direnv, nano, less, and rsync as standard utilities.
- Strongly discourages kernel page swapping.
- Disables memory overcommit, and sets the amount of overcommit memory to the total RAM for the server.
- Defines a few useful CLI aliases.
- "Beautifies" the system prompt. Prompt includes user, hostname, current working directory, current date and time, and the number of commands executed in the shell. It is also color-coded based on environment using the following list: prod = red, stage = green, dev = green, local = blue. This makes it very obvious what environment is being accessed and minimizes mistakes.
env_name: Set to one ofprod,stage,dev, orlocal. Defaultdev.
Bootstraps a proxy host specifically for a K0s control plane. This allows multiple control plane nodes within a K0s cluster as described in the Control Plane High Availability documentation. This role will:
- Install and enable HAProxy
- Configure HAProxy to direct traffic on ports 6443, 8132, and 9443 to control plane nodes in a round-robin manner. Control plane nodes are identified as any nodes assigned to the
control_planegroup. - Restart HAProxy if necessary
Intended as a "meta" role, meant for public-facing servers of any kind.
- Installs and enables fail2ban using service defaults.
- Sets up
iptablesto reject all traffic from China and Lithuania as strong sources of past break-in attempts.
This role will eventually be modified to allow expanding or overriding the country blacklist.
Should prepare any Proxmox system for standard use.
- Installs and configures nginx to act as a proxy for the web admin dashboard.
- Overrides
sysstatto collect system information every minute rather than every 10 minutes.
These roles are planned but are not yet part of the repository. This may be because they are in some stage of testing, or require an internal migration before initial public-facing commit.
Install Docker and related utilties on desired hosts. This role will use the community edition directly from Docker's repositories.
- Removes any docker related packages from the distribution's standard repository.
- Installs the Docker-CE repository
- Installs Docker-CE, CLI, containerd, and the buildx and compose plugins.
- Adds the
ansible_uservariable user to thedockersystem group. - Reboots the system if the user was added to the
dockergroup.
Installs the standard web-server expected in the current stack and any necessary build utilities.
- Installs nginx configured for hosting any domains defined in the inventory.
- Installs a specified version of Hugo for site deployment.
Eventually this role will also set up Lets Encrypt for configured domains, likely using acmetool unless a better option presents itself.
hugo_version: This determines which version of Hugo to install. Should be eitherlatestor the version number with thevomitted; eg.0.124.0. Default islatest.public_facing: If true, will also include thefirewallrole. Strongly encourage enabling this on production systems. Default is false.