Skip to content

Latest commit

 

History

History
97 lines (66 loc) · 2.81 KB

README.md

File metadata and controls

97 lines (66 loc) · 2.81 KB

#! Admin Tools

Ansible playbooks and other admin tools/docs for maintaining the #! network.

Requirements

  • Recent version of Ansible
  • Local #! pass database
  • User with sudo access on all servers

Git configuration

You might also want to use the following snippet in ~/.gitconfig:

[diff "gpg"]
	textconv = gpg --no-tty --decrypt
	cachetextconv = false
[diff "ansible-vault"]
	textconv = ansible-vault view
	cachetextconv = false

SSH configuration

All the “service servers” (as opposed to shell servers) listen for SSH on port 8993 (ASCII-encoding of #!), and the user is core, with the following exceptions:

  • lon1.irc.hashbang.sh and sfo1.irc.hashbang.sh do not yet follow that convention;
  • git-infra.hashbang.sh is a service hosted on nyc3.apps.hashbang.sh which uses port 22.

This is expressed in the following .ssh/config snippet:

Host da1.hashbang.sh ny1.hashbang.sh sf1.hashbang.sh to1.hashbang.sh
     User your_nick

Host git-infra.hashbang.sh
     User git

Host sfo1.irc.hashbang.sh ldap.hashbang.sh
     User core

Host *.hashbang.sh hashbang.sh
     User core
     Port 8993

Playbooks

There are several playbooks present here:

  • shell.yml is used to synchronise the configuration (incl. installed packages) across the shell servers.

  • credentials.yml is used to deploy the admin's SSH keys across all servers:

    • admins can login as root on the shell servers;
    • they can login as core on the CoreOS servers.
  • coreos.yml performs CoreOS-specific tasks. Currently, it only bootstraps the Ansible agent's dependencies.

  • mail.yml deploy the mail aliases and Postfix configuration.

  • irc.yml deploys static and templated configuration to the IRC servers, including oper blocks for users defined in group_vars/all/users.yml.

  • ldap_ban.yml disables user accounts in LDAP and terminates their sessions on the shell servers; it requires python-ldap installed. Invoke as follows:

      ansible-playbook ldap_ban.yml
    

    For scripting purposes, the script accepts a comma-separated list of users, (users), and a Boolean determining if the homedirs should be deleted (delete).

Usage

Install a package

See doc/Installing_packages.md.

Making a configuration change

  1. Prepare your change for shell-etc, test it locally.
  2. Create a pull-request for it on Github, wait for a review.
  3. Perform a signed merge into master: git merge -S --no-ff branch
    Only merge into master things that you will deploy immediately. Do not merge if you aren't in a position to follow-up with a deploy.
  4. Run the shell.yml playbook, see below.

Sync packages & configuration across all shell servers

Simply run the appropriate Ansible playbook:

ansible-playbook shell.yml