|
| 1 | +# Description |
| 2 | + |
| 3 | +Herein lie all ansible related files __except__ for `ansible.cfg` at the root of the repo for easier usage without having to `cd` here. |
| 4 | + |
| 5 | +# Usage |
| 6 | + |
| 7 | +Simply run the play related to the specific type of configuration you want to deploy: |
| 8 | +```sh |
| 9 | + > ls -1 ansible/*.yml |
| 10 | +ansible/bootstrap.yml |
| 11 | +ansible/upgrade.yml |
| 12 | +ansible/main.yml |
| 13 | +``` |
| 14 | +```sh |
| 15 | +ansible-playbook ansible/main.yml |
| 16 | +``` |
| 17 | + |
| 18 | +# Bootstrap |
| 19 | + |
| 20 | +All hosts are bootstraped right after provisioning using these roles: |
| 21 | + |
| 22 | +* [status-im/infra-role-bootstrap-linux](https://github.com/status-im/infra-role-bootstrap-linux) |
| 23 | +* [status-im/infra-role-bootstrap-macos](https://github.com/status-im/infra-role-bootstrap-macos) |
| 24 | +* [status-im/infra-role-bootstrap-windows](https://github.com/status-im/infra-role-bootstrap-windows) |
| 25 | + |
| 26 | +If you want to re-run any bootstrap step you can do it like so: |
| 27 | +```sh |
| 28 | +ansible-playbook ansible/bootstrap.yml -t role::bootstrap:hostname |
| 29 | +``` |
| 30 | +In this case only the `hostname` set of tasks will be executed due to the `role::bootstrap:hostname` tag. |
| 31 | + |
| 32 | +# Inventory |
| 33 | + |
| 34 | +The inventory we use is crated by Terraform via the [`terraform-provider-ansible`](https://github.com/nbering/terraform-provider-ansible) which generates the necessary data structures in the [Consul Key/Value store](https://www.consul.io/docs/dynamic-app-config/kv) that is later used by the [`terraform.py`](./terraform.py) script to provide hosts and their variables to Ansible. |
| 35 | + |
| 36 | +Some ways to view existing hosts: |
| 37 | +```sh |
| 38 | +ansible localhost -m debug -a 'var=groups' |
| 39 | +ansible all -o -m debug -a 'var=ansible_host' | columns -t |
| 40 | +``` |
| 41 | + |
| 42 | +A backup of the Terraform state is created at `.terraform/terraform.tfstate.backup`. It is symetrically encrypted using [Fernet algorithm](https://cryptography.io/en/latest/fernet/) with a key generated from haed `CONSUL_HTTP_TOKEN` and can be decrypted by using [`decrypt_tf_backup.py`](https://github.com/status-im/infra-utils/blob/master/terraform/decrypt_tf_backup.py) script. |
| 43 | + |
| 44 | +# Variables |
| 45 | + |
| 46 | +Ansible variables can be provided to Ansible using the `--extra-vars`/`-e` flag. An example of such a flag is: |
| 47 | +```yaml |
| 48 | +compose_state: 'present' |
| 49 | +compose_recreate: 'smart' |
| 50 | +compose_restart: false |
| 51 | +``` |
| 52 | +
|
| 53 | +These are used in every role that starts docker containers. You can use them to change the behaviour of roles. |
| 54 | +For example to re-create all metric related containers use: |
| 55 | +```sh |
| 56 | +ansible-playbook ansible/main.yml -e compose_recreate=always |
| 57 | +``` |
| 58 | + |
| 59 | +# Secrets |
| 60 | + |
| 61 | +Secrets are stored and provided in three ways: |
| 62 | + |
| 63 | +* [password-store](https://www.passwordstore.org/) - Using [`passwordstore`](https://docs.ansible.com/ansible/latest/collections/community/general/passwordstore_lookup.html) plugin for core infra secrets. |
| 64 | +* [Vault](https://www.vaultproject.io/) - Using [`vault`](./lookup_plugins/vault.py) plugin for service secrets. |
| 65 | + |
| 66 | +Read [secrets management guide](https://docs.infra.status.im/guides/secret_management.html) for more details. |
0 commit comments