Project

General

Profile

README

DuckCorp Infrastructure

This is the root of the DuckCorp Admin Team materials used to install, configure and manage services.

DuckCorp is commited to Free Software, thus all materials are published under the GPL v3 License (see details of the license in the COPYING file).

Materials

All sensitive materials are encrypted, read the Dealing with Secrets chapter to know more about this.

Configuration Management & Deployment

We use Ansible to help us automate as much as possible; you'll find more about it in the ansible directory.

Still, many things are handled manually, this is WIP.

PKI

Our TLS certificates are managed using mkcert. The mkcert.conf file holds the DuckCorp-specific configuration, and services contains the specific service names not in /etc/services. The keys configuration and resulting certificates are stored in the pki directory.

With this layout, mkcert can be run in-place (at the top-level of this repository), automagically finding its configuration and work directories.

Scripts

In the scripts directory are the following scripts:

  • adm_check_*: this series of scripts check various resources hosted by DuckCorp against the outside world to see if there is any misconfiguration or if the hosting became obsolete (without the user telling us, which happen very often…)
  • adm_publish_tlsa: compute TLSA DNS RR for DNSSEC-enabled DNS zones based on the available TLS certificates
  • check_certs_expiration: warn when certificates are nearly expired (or already expired)

They are meant to be run in-place from the top of this repository. The lib subdirectory contains code factorized between the scripts.

Documentation

The admin-oriented documentation can be found alongside the other materials, but for some topics we might write a dedicated explanation and store it in the doc directory.

For Admin Team Members

Sensitive Data

You need to set the ANSIBLE_VAULT_PASSWORD_FILE environment variable with the path to the password file.

Requirements

First, clone [the repository](ssh://vcs-git.duckcorp.org/srv/vcs/git/duckcorp/duckcorp-infra.git). You should probably have a look at the Requirements in the underlying directories too.

Git configuration

  • Always create a merge commit : $ git config --local merge.ff false
  • Allow fast-forward merges when using pull : $ git config --local pull.ff only
  • All commits must be GPG signed : $ git config --local commit.gpgSign true

Dealing with Secrets

We use Ansible Vault to hide some parameters like service credentials, user personal information or emails to avoid SPAM.

To make it easy git attributes are defined to make diff-ing and merging easy.

Your configuration needs to be enhanced to tel git how to handle these files. This is very easy, look at this URL for more info:

: https://github.com/building5/ansible-vault-tools

Git usage

When merging a branch, use --verify-signatures switch. If this fails, then DO NOT MERGE!!!

When adding submodule, please use the HTTPs URL to allow contributors to clone. Also use --name to set the submodule name or the path is taken by default. Then, you can set the push URL to the right form by adapting the following command to your need:

git submodule foreach 'git config remote.origin.pushurl ssh://vcs-git.duckcorp.org/srv/vcs/git/duckcorp/ansible-role-$name'

For External Contributor

You're welcome to contribute ideas, report problems, send patches… using our Ticket Tracker (in the Contribution tracker).

You can clone this repository or browse it.

Statistics
| Branch: | Revision:

duckcorp-infra @ master

Name Size Revision Age Author Comment
  ansible 378881c1 15 days Arnaud Fontaine add/remove email addresses for 'arnau' user acc...
  doc 5d76f2d8 5 months Marc Dequènes First public version
  pki ec5c91d9 about 1 month Marc Dequènes (Duck) added duckcorp/db.duckcorp.org
  scripts 10bc1d33 5 months Marc Dequènes adm_check_web: check inventory and partially ha...
.gitignore 209 Bytes 43a99ed7 about 1 month Marc Dequènes (Duck) ensute Ansible retry files are not included by ...
.gitmodules 1023 Bytes 5ce7c5fc about 1 month Marc Dequènes (Duck) fix submodule URL for contributor's cloning, an...
COPYING 34.3 KB 5d76f2d8 5 months Marc Dequènes First public version
README.md 3.88 KB ab06f878 about 1 month Marc Dequènes (Duck) fix submodule URL update doc in 5ce7c5f
mkcert.conf 154 Bytes 5d76f2d8 5 months Marc Dequènes First public version
services 322 Bytes 5d76f2d8 5 months Marc Dequènes First public version

Latest revisions

# Date Author Comment
378881c1 2018-02-10 01:07 Arnaud Fontaine

add/remove email addresses for 'arnau' user account.

5935e7a3 2018-02-09 10:57 Marc Dequènes (Duck)

dc-irc: don't load namesx module twice

startup then fails

f32c8fcf 2018-01-24 01:29 Marc Dequènes (Duck)

httpd: pending changes were merged

459f1619 2018-01-23 09:00 Marc Dequènes (Duck)

updated httpd role but disable use of modern MPM until PHP can be migrated to FPM

68b9126b 2018-01-22 15:21 Marc Dequènes (Duck)

updated httpd* roles: workaround for Ansible#26294 was updated

61a97fbe 2018-01-21 02:47 Marc Dequènes (Duck)

enable safe commands in check mode

690dfd3a 2018-01-21 02:45 Marc Dequènes (Duck)

dc-base: use find instead of shell

ab06f878 2018-01-21 02:13 Marc Dequènes (Duck)

fix submodule URL update doc in 5ce7c5f

5ce7c5fc 2018-01-21 00:59 Marc Dequènes (Duck)

fix submodule URL for contributor's cloning, and document how to handle them

c275e80e 2018-01-20 21:01 Marc Dequènes (Duck)

dc-web: remove obsolete reference to ca.duckcorp.org

View all revisions | View revisions

Also available in: Atom