From f55633611c5720a3de00cb1ff77fc06bdbd92a07 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 05:52:20 -0500 Subject: [PATCH 1/4] Remove manual setting of firewall during droplet creation The firewall is now attached to droplet tags, and thus is automatically added to new droplets since we tag them. --- README.md | 2 +- create.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 7b4b00a..15e4d12 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ Initial setup The summary of the initial setup is: 1. Create the droplet with monitoring and relevant SSH keys. -2. Assign new droplet to the matplotlib.org project and the Web firewall. +2. Assign new droplet to the matplotlib.org project. 3. Add DNS entries pointing to the server on CloudFlare. 4. Grab the SSH host fingerprints. 5. Reboot. diff --git a/create.yml b/create.yml index ea0a501..938f687 100644 --- a/create.yml +++ b/create.yml @@ -91,8 +91,6 @@ community.digitalocean.digital_ocean_droplet: state: present name: "{{ host }}.matplotlib.org" - firewall: - - Web image: fedora-39-x64 monitoring: true project: matplotlib.org From 749216a66bc98d91d01c978d91d5602a366f170d Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 05:55:01 -0500 Subject: [PATCH 2/4] Document what permissions the tokens need --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 15e4d12..12e8129 100644 --- a/README.md +++ b/README.md @@ -37,10 +37,14 @@ Before you can run our Ansible playbooks, you need to meet the following prerequisites: * Create a DigitalOcean API token, and pass it to the inventory generator by - setting the `DO_API_TOKEN` environment variable. + setting the `DO_API_TOKEN` environment variable. The API token must have + access to the following scopes: + - Read: droplet, firewall, monitoring, project, ssh_key + - Create: droplet + - Update: droplet, monitoring, project * If you are creating a new droplet, and want to configure DNS as well, then - create a CloudFlare API token, and pass it to the Ansible playbook by setting - the `CLOUDFLARE_TOKEN` environment variable. + create a CloudFlare API token with DNS edit permissions, and pass it to the + Ansible playbook by setting the `CLOUDFLARE_TOKEN` environment variable. * Set the vault decryption password of the Ansible vaulted file with our secrets. This may be done by setting the `ANSIBLE_VAULT_PASSWORD_FILE` environment variable to point to a file containing the password. From 7f8359fb9fb232bf32fde69263b441df0b6a9aa8 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 21:38:24 -0500 Subject: [PATCH 3/4] Add more information to droplet creation Also, set tags in CloudFlare DNS. --- README.md | 9 ++++++++- collections/requirements.yml | 2 +- create.yml | 17 +++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 12e8129..8dd21fa 100644 --- a/README.md +++ b/README.md @@ -148,7 +148,8 @@ ansible-playbook create.yml --extra-vars "host=pluto functional=web99 ssh_keys=' The playbook will create the server, as well as add DNS records on CloudFlare. Note, you must set `DO_API_TOKEN` and `CLOUDFLARE_TOKEN` in the environment to -access these services. +access these services. The droplet ID and IP address will be printed at the +end of the playbook. Then, to ensure you are connecting to the expected server, you should grab the SSH host keys via the DigitalOcean Droplet Console: @@ -173,6 +174,12 @@ Finally, you should reboot the droplet. This is due to a bug in cloud-init on DigitalOcean, which generates a new machine ID after startup, causing system logs to be seem invisible. +This can be done from the Console, or via the CLI: + +``` +doctl compute droplet-action reboot +``` + Running Ansible --------------- diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a795f3..712d59b 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,5 +2,5 @@ collections: - name: ansible.posix - name: community.general - version: ">=2.0.0" + version: ">=8.0.0" - name: community.digitalocean diff --git a/create.yml b/create.yml index 938f687..f927d60 100644 --- a/create.yml +++ b/create.yml @@ -115,6 +115,8 @@ map(attribute='ip_address') | first }} + tags: + - website zone: matplotlib.org - name: Setup functional DNS for droplet on CloudFlare @@ -124,8 +126,23 @@ record: "{{ functional }}" type: CNAME value: "{{ host }}.matplotlib.org" + tags: + - website zone: matplotlib.org + - name: Print droplet info + ansible.builtin.debug: + msg: + - "Droplet ID is {{ new_droplet.data.droplet.id }}" + - >- + First Public IPv4 is {{ + (new_droplet.data.droplet.networks.v4 | selectattr('type', 'equalto', 'public')).0.ip_address | + default('', true) }} + - >- + First Private IPv4 is {{ + (new_droplet.data.droplet.networks.v4 | selectattr('type', 'equalto', 'private')).0.ip_address | + default('', true) }} + vars: # We currently name servers based on planets in the Solar System. valid_planets: From 7f56982d4727f342a2d23aebfe30de981fcdd07c Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 13 Feb 2025 22:42:12 -0500 Subject: [PATCH 4/4] Update to Fedora 41 --- README.md | 7 +++---- create.yml | 2 +- files/dnf5-automatic.conf | 2 ++ matplotlib.org.yml | 11 ++++++++--- 4 files changed, 14 insertions(+), 8 deletions(-) create mode 100644 files/dnf5-automatic.conf diff --git a/README.md b/README.md index 8dd21fa..98400bf 100644 --- a/README.md +++ b/README.md @@ -164,10 +164,9 @@ Note down the outputs to verify later, e.g., ``` # Use these for comparison when connecting yourself. -1024 SHA256:J2sbqvhI/VszBtVvPabgxyz6sRnGLrZUn0kqfv4doAM root@mercury.matplotlib.org (DSA) -256 SHA256:J0rOMayXhL1+5wbm4WQNpAvmscDjqwJjAtk1SLemRMI root@mercury.matplotlib.org (ECDSA) -256 SHA256:y8EDRGMpLWOW72x47MVKsAfSAl8JHjsOc/RGaiMTPGs root@mercury.matplotlib.org (ED25519) -3072 SHA256:AyuNO8FES5k9vobv0Pu9XpvtjVFZ1bTTNxb1lo+AuRA root@mercury.matplotlib.org (RSA) +256 SHA256:p6MiA8+IO1WcpXHDOQ4rhiVCo+MDxWB7ehfNfxvbDkU root@venus.matplotlib.org (ECDSA) +256 SHA256:RfDahJqnQFLeFN+zl9f+hmB+W05OoZK26NfNQkj6KtY root@venus.matplotlib.org (ED25519) +3072 SHA256:tYwdULlz5/XP5Ze7PCj9XpO3VIMEZkiOiFuhr9nke34 root@venus.matplotlib.org (RSA) ``` Finally, you should reboot the droplet. This is due to a bug in cloud-init on diff --git a/create.yml b/create.yml index f927d60..47a4a0a 100644 --- a/create.yml +++ b/create.yml @@ -91,7 +91,7 @@ community.digitalocean.digital_ocean_droplet: state: present name: "{{ host }}.matplotlib.org" - image: fedora-39-x64 + image: fedora-41-x64 monitoring: true project: matplotlib.org region: tor1 diff --git a/files/dnf5-automatic.conf b/files/dnf5-automatic.conf new file mode 100644 index 0000000..5d40e60 --- /dev/null +++ b/files/dnf5-automatic.conf @@ -0,0 +1,2 @@ +[commands] +apply_updates = yes diff --git a/matplotlib.org.yml b/matplotlib.org.yml index dee35ab..f9be944 100644 --- a/matplotlib.org.yml +++ b/matplotlib.org.yml @@ -45,7 +45,7 @@ - name: Install server maintenance ansible.builtin.dnf: name: - - dnf-automatic + - dnf5-plugin-automatic - fail2ban state: present @@ -63,8 +63,8 @@ name: - golang-github-prometheus - golang-github-prometheus-alertmanager - - golang-github-prometheus-node-exporter - grafana + - node-exporter # Remove this when Loki is packaged. - podman state: present @@ -77,9 +77,14 @@ # Automatic updates # ################# + - name: Configure automatic updates + ansible.builtin.copy: + src: dnf5-automatic.conf + dest: /etc/dnf/dnf5-plugins/automatic.conf + - name: Enable automatic updates ansible.builtin.systemd: - name: dnf-automatic-install.timer + name: dnf5-automatic.timer enabled: true state: started