Create ansible playbooks for Elixir build server and for Phoenix Website

Author: ArturT

.gitignore

@@ -0,0 +1,13 @@
+.DS_Store
+.vagrant
+ubuntu-xenial-16.04-cloudimg-console.log
+*.retry
+callback_plugins/human_log.pyc
+/.downloaded_roles
+
+# ignore private pass that you use to encrypt/decrypt credentials with Ansible
+vault_pass.txt
+
+# ignore private keys for CI server
+/apps/elixir-build-server/circle_ci
+/apps/phoenix-website/circle_ci

LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2017 Lunar Logic https://lunarlogic.io
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,199 @@
+# Ansible Elixir Playbooks
+
+This project has ansible playbooks for:
+
+* Elixr Build Server - it has installed Erlang, Elixir and nodejs. Basically, all what is required to compile the Phoenix Framework application.
+* Phoenix Website - it is a playbook to provision server with installed PostgreSQL and configured nginx and Let's Encrypt for SSL. There is no Erlang/Elixir on this server because we will deploy there only compiled Phoenix application.
+
+You can learn more about the project from this blog post (TODO: add here url).
+
+## Requirements
+
+### Control machine (your computer)
+
+* Install [Ansible](https://www.ansible.com/)
+
+* Download roles:
+
+  ```shell
+  $ ansible-galaxy install -r requirements.yml
+  ```
+
+* Generate `vault_pass.txt` file into this repository. You need it to be able to encrypt/decrypt secrets.
+
+  :warning: For security reasons, the `vault_pass.txt` file should not be committed into the repository. It's ignored in `.gitignore`.
+
+  ```shell
+  $ openssl rand -base64 256 > vault_pass.txt
+  ```
+
+* Generate your DB password and put output to `apps/phoenix-website/host_vars/phoenix-website.lunarlogic.io`
+
+  ```shell
+  $ ansible-vault encrypt_string --name db_password "YOUR_DB_PASSWORD"
+  ```
+
+### Target machine (server)
+
+* Server with [Ubuntu](https://www.ubuntu.com/) 16.04 LTS.
+
+## Public keys
+
+We keep our public keys in [public_keys/] directory. This set of keys is uploaded to the server during each provisioning
+and overwrites the list of authorized keys, so proper people have access to the server. It is important to keep
+the list of keys up to date.
+
+If you don't know how to generate a key for yourself,
+[read this article](https://help.github.com/articles/connecting-to-github-with-ssh/).
+
+## App deployement
+
+### CircleCI deployment
+
+If you want to deploy app from CI to the staging/production host then you must generate RSA keys for CircleCI.
+
+```shell
+$ ssh-keygen -t rsa -b 4096 -N "" -C "circle_ci" -f ./apps/elixir-build-server/circle_ci
+$ ssh-keygen -t rsa -b 4096 -N "" -C "circle_ci" -f ./apps/phoenix-website/circle_ci
+```
+
+Add `circle_ci.pub` public key to your app playbook for the role `user`:
+
+```
+- role: user/0.0.1
+  username: phoenix
+  authorized_key_paths:
+    - ../../public_keys/*.pub
+    - ./circle_ci.pub # add this line
+```
+
+Go to CircleCI and find your project, open settings and find `SSH Permissions`. Click `Add an SSH key` button and paste there private key `apps/YOUR_APP_NAME/circle_ci`.
+
+Now you can remove private key `apps/YOUR_APP_NAME/circle_ci` from local machine. It should not be commited into repo!
+
+Commit into repo only public key `apps/YOUR_APP_NAME/circle_ci.pub`.
+
+You can always generate a new fresh keys if you need it hence no reason to backup private key. You already added it to CircleCI.
+
+## Run playbooks
+
+__Warning:__ This command will provision all servers listed in inventory file for particular app `apps/app_name`.
+
+```shell
+$ ./play apps/app_name
+```
+
+If you want to provision only specific machine do (it's useful if your app is deployed to multiple servers like staging and production):
+
+```shell
+# Warning: There must be comma and the end of the hosts list!
+$ ansible-playbook -i 'example-staging.lunarlogic.io,' apps/app_name/playbook.yml
+```
+
+## Provisioning logs
+
+You can check when and with what git commit the host was provisioned in log file: `/var/log/provision.log` (stored on the target machine).
+
+## System users
+
+There are 3 types of users on the server:
+
+* `root` - for provisioning
+* `admin` - user has the sudo access
+* `app_name_user` - for instance `phoenix` user for Phoenix Website application. The user has no sudo access. The application is running under this user.
+
+## Add playbook for new app
+
+* create new app directory in the `app` directory
+* in this new directory create `playbook.yml` and `inventory` files
+* in the `inventory` file put host names to provision (see [Ansible docs](http://docs.ansible.com/ansible/intro_inventory.html))
+* implement `playbook.yml`
+
+## Secrets
+
+We store secrets in encrypted version using [Vault]. If you are adding new secrets, make sure you commit them to the repository in the encrypted form.
+
+* Encrypting single values (that can be placed inside a "clear text" YAML file, using the `!vault` tag):
+
+  ```shell
+  $ ansible-vault encrypt_string --name pass_to_some_service "secret"  # stdout encrypted string
+  ```
+
+* Encrypting whole YAML files:
+
+  ```shell
+  $ ansible-vault encrypt secret.yml   # encrypt unencrypted file
+  $ ansible-vault edit secret.yml      # edit encrypted file
+  $ ansible-vault decrypt secret.yml   # decrypt encrypted file
+  ```
+
+## Roles
+
+### Role versioning
+
+We use roles versioning the simplest possible way, we just add version subdirectories under every role directory.
+
+```shell
+roles/role-name/role-version/ # e.g. roles/webserver/0.3.2/
+```
+
+To create a new version just copy an existing one, bump the role version and modify it.
+Please, respect [Semantic Versioning 2.0.0].
+
+### Community developed roles
+
+Include the roles in [requirements.yml] and download them using the following command:
+
+```shell
+$ ansible-galaxy install -r requirements.yml
+```
+
+### SSL with Let's Encrypt
+
+You can use `lets_encrypt` role to generate free SSL certificate thanks to https://letsencrypt.org
+
+#### Rate Limits
+
+The main limit is Certificates per Registered Domain (20 per week).
+
+https://letsencrypt.org/docs/rate-limits/
+
+If you are testing Let's Encrypt then use `staging` environment with higher limits!
+
+```
+- role: lets_encrypt/0.0.1
+  app_name: myapp
+  lets_encrypt_contact_email: [email protected]
+  lets_encrypt_environment: staging # you can change it to production once ready
+```
+
+#### If you want to change main domain for your certificate
+
+If you want to change main domain for your certificate then you need to generate a new certificate.
+
+Here is example file for [Phoenix Website project with multiple domains](apps/phoenix-website/host_vars/phoenix-website.lunarlogic.io).
+
+In order to generate a new certificate please remove first the old files generated by `lets_encrypt` role on the server:
+
+```shell
+$ rm -rf /etc/letsencrypt/accounts/*
+$ rm -rf /etc/letsencrypt/archive/*
+$ rm -rf /etc/letsencrypt/csr/*
+$ rm -rf /etc/letsencrypt/keys/*
+$ rm -rf /etc/letsencrypt/live/*
+$ rm -rf /etc/letsencrypt/renewal/*
+
+# remove the snippents that load SSL certificate
+$ rm -rf /etc/nginx/snippets/project_name
+```
+
+Ensure the nginx is running. It's required so Let's Encrypt can do request to our domain.
+Provision server again.
+
+Note: If you would like to add a new subdomain to domain list then you can just provision server and a new subdomain will be added to the certificate. You need to generate certificate from scrach only if you change the main domain (the first domain on the list of domains).
+
+
+[Vault]: http://docs.ansible.com/ansible/playbooks_vault.html
+[public_keys/]: public_keys/
+[requirements.yml]: requirements.yml
+[Semantic Versioning 2.0.0]: http://semver.org/

ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+vault_password_file = ./vault_pass.txt
+roles_path = ./.downloaded_roles:./roles
+callback_plugins = ./callback_plugins
+
+[ssh_connection]
+control_path = %(directory)s/%%C

apps/elixir-build-server/circle_ci.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7MmV55/7vG7kCYmwwVVOYRGz2bT2RHlSmoAVGUZ95+hDdVIRKZsP3zs+jm0Kr08RlYlw1BToH0yyZK3rjq7QARfmw1zmwtVtccP3nscHT1KQyx+docjYdmsTLGm7ylKyHrQ+lOq80/rCMsnxf0S+/fxGEThGgh0zxRsEZUz0AofSqEgrm10PBcPdw7m6RE8DTEArjXaQRwhrlcMyEHaEvAVpLhEKjpE/9DY8ZJB4y8bxXlr0ORBaw0G6IPXVSOUaWNiJqgJ+OyzSqiMTqKDqg6BhSetcDCEMn3VW+kQquqbuU8qp6Yr8XjG+NXDb6gt4S48TdqQg/o4uZnNPUDW8otyyAcHBpVqdF1nNwqE80wvDHHpOytfD/+s9M2l43s6f/RV71myghtALxFKMo44Fzw30L0gsL79iQw8WXClI1bdBdjLiSG3vj67LKk+OCy335816VsfTYU7Oh7H6TUc5jooiUPKAopLF9Qm9WSFm8B1CW1UdajrWzT6SAdScFxaQbG6IUX4EDz32jz3mpDFN8huLCXkmgDctynhTROHJxq3vbOSOi8gGYUIDJuSbe2OvuMSZ1wILPqu5k1Tw5zMUC63Ggqi9TfRt++eX30hU4YVIyNJJEaiMmGTzSnN9/awUl5bqdmPkwQ9xrBhi8U4DR7edtX2LVUHfujpdL6PJNbQ== circle_ci

apps/elixir-build-server/inventory

@@ -0,0 +1 @@
+elixir-build-server.lunarlogic.io

apps/elixir-build-server/playbook.yml

@@ -0,0 +1,37 @@
+---
+- hosts: all
+  user: root
+  gather_facts: no
+  pre_tasks:
+    - name: install python
+      raw: sudo apt-get -y install python-minimal
+
+    - action: setup
+
+  roles:
+    - role: bootstrap/0.0.1
+      hostname: elixir-build-server
+      domain: lunarlogic.io
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+
+    - role: user/0.0.1
+      username: admin
+      sudoer: True
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+
+    - role: install-build-essential/0.0.1
+
+    - role: install_elixir/0.0.1
+
+    - role: install_nodejs/0.0.1
+
+    - role: user/0.0.1
+      username: builder
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+        - ./circle_ci.pub
+
+    # This must be the last one role to log info about successfully provisioned machine.
+    - role: provision_log/0.0.1

apps/phoenix-website/circle_ci.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChdYQSoh1rlAS1YBzoB4hMPA/Mm88WqV9ANa/gcxDH4Q+urc5MM35srlv7G9KMY5I0XHeFb1eT0GyldoNnvJFr6ZvtyaUAKloN8s4uavST7xofFhKH0WU3PhVM83Uu6kVDikfwmgTkvaW+dfkW02TWBJWP6taKPGRcVvGk5QISCxYKreUPFj0BIL+d66S2+vp2ypGpEAt3RjHfpa+ExgNnhqNk6pARhwQxGKa2wwgTcfPVdisBJ3cr0N1YTzLz+ko2KYQec2IR/W4gjsubKb7NeJpDkRDmYIqJUomQf5IA8OgXNZ1i/jt6W/3IXdq5wjnZKUAd88PvnFTVHGseY+QEvMlhqsUxZYAFqvbADyofNwilJsy4ZBU4tizR6dHJ4P5G9qT7D1MBx7AwbMiw2z/b2brLgrDcSHD/N/lT3+VJAASNQrn42PB+WaaDQhkCSPCVM+3njQisO24ARQNsqfRcaqDv/faBJKqLcRsk3QQkGgqaJVXWHLsLYAQxALsOz8QA2bWrO3rVy6vjFtLzgosgmB7zHfb39Pv966AWBn5BicYMCw1Pa2YEqNxcXcNOvXnquSL0IxCVTedT+hiJg8WKcRNbeZ0ZsW1zVIQW42X70nKlnC5S3aAx+6II8aVdXaSgjTypidkrv/n6mRimdNW+2tQCEHPMU5TQaDBXUHL20w== circle_ci

apps/phoenix-website/host_vars/phoenix-website.lunarlogic.io

@@ -0,0 +1,15 @@
+---
+hostname: phoenix
+domains:
+  # first domain is the main domain
+  - phoenix-website.lunarlogic.io
+  # other domains redirect to the main domain
+  - www.phoenix-website.lunarlogic.io
+db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35313965306661613265333736386365613931643764616533613137626161623232393261653832
+          6631393234313761303539316335373539663965613963620a663831366338383934346632643065
+          33646165303366623464623730363530656438373262373937396164383963396262393266343035
+          6137663666353562640a383361653635396437313936373365313431303734316461326364336538
+          63356331666263643665306561386664636138646265663036646331383037643531393366613963
+          3536313631373166303865303636393038396365306466376166

apps/phoenix-website/inventory

@@ -0,0 +1 @@
+phoenix-website.lunarlogic.io

apps/phoenix-website/playbook.yml

@@ -0,0 +1,46 @@
+---
+- hosts: all
+  user: root
+  gather_facts: no
+  pre_tasks:
+    - name: install python
+      raw: sudo apt-get -y install python-minimal
+
+    - action: setup
+
+  roles:
+    - role: bootstrap/0.0.1
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+
+    - role: user/0.0.1
+      username: admin
+      sudoer: True
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+
+    - role: install_nginx/0.0.1
+
+    - role: install_postgresql/0.0.1
+
+    - role: imagemagick/0.0.1
+
+    - role: user/0.0.1
+      username: phoenix
+      authorized_key_paths:
+        - ../../public_keys/*.pub
+        - ./circle_ci.pub
+
+    - role: configure-postgresql/0.0.1
+      username: phoenix
+      database_name: phoenix
+
+    - role: phoenix-app/0.0.1
+      username: phoenix
+      app_name: phoenix
+
+    - role: lets_encrypt/0.0.1
+      app_name: phoenix
+
+    # This must be the last one role to log info about successfully provisioned machine.
+    - role: provision_log/0.0.1