DuckCorp Infrastructure

This is the root of the DuckCorp Admin Team materials used to install, configure and manage services.

DuckCorp is commited to Free Software, thus all materials are published under the GPL v3 License (see details of the license in the COPYING file).


All sensitive materials are encrypted, read the Dealing with Secrets chapter to know more about this.

Configuration Management & Deployment

We use Ansible to help us automate as much as possible; you'll find more about it in the ansible directory.

Still, many things are handled manually, this is WIP.


Our TLS certificates are managed using mkcert. The mkcert.conf file holds the DuckCorp-specific configuration, and services contains the specific service names not in /etc/services. The keys configuration and resulting certificates are stored in the pki directory.

With this layout, mkcert can be run in-place (at the top-level of this repository), automagically finding its configuration and work directories.


In the scripts directory are the following scripts:

  • adm_check_*: this series of scripts check various resources hosted by DuckCorp against the outside world to see if there is any misconfiguration or if the hosting became obsolete (without the user telling us, which happen very often…)
  • adm_publish_tlsa: compute TLSA DNS RR for DNSSEC-enabled DNS zones based on the available TLS certificates
  • check_certs_expiration: warn when certificates are nearly expired (or already expired)

They are meant to be run in-place from the top of this repository. The lib subdirectory contains code factorized between the scripts.


The admin-oriented documentation can be found alongside the other materials, but for some topics we might write a dedicated explanation and store it in the doc directory.

For Admin Team Members

Sensitive Data

You need to set the ANSIBLE_VAULT_PASSWORD_FILE environment variable with the path to the password file.


First, clone [the repository](ssh:// You should probably have a look at the Requirements in the underlying directories too.

Git configuration

  • Always create a merge commit : $ git config --local merge.ff false
  • Allow fast-forward merges when using pull : $ git config --local pull.ff only
  • All commits must be GPG signed : $ git config --local commit.gpgSign true

Dealing with Secrets

We use Ansible Vault to hide some parameters like service credentials, user personal information or emails to avoid SPAM.

To make it easy git attributes are defined to make diff-ing and merging easy.

Your configuration needs to be enhanced to tel git how to handle these files. This is very easy, look at this URL for more info:


Git usage

When merging a branch, use --verify-signatures switch. If this fails, then DO NOT MERGE!!!

When adding submodule, please use the HTTPs URL to allow contributors to clone. Also use --name to set the submodule name or the path is taken by default. Then, you can ask git to automatically rewrite the URL to the right form with this command:

git config --global url.ssh://

For External Contributor

You're welcome to contribute ideas, report problems, send patches… using our Ticket Tracker (in the Contribution tracker).

You can clone this repository or browse it.

| Branch: | Revision:

duckcorp-infra @ master

Name Size Revision Age Author Comment
  ansible 26a4d9ad about 2 hours Marc Dequènes extend memory limit
  doc 02d7c212 9 months Marc Dequènes Elwing: switch to new ISP
  pki 478f9d52 4 days Marc Dequènes restore certificates removed ...
  scripts 171152bb 4 months Marc Dequènes lib/ansible_inventory: find_host_by_fqdn() is n...
.gitignore 221 Bytes 134fa877 4 months Marc Dequènes ignore '__pycache__' directories
.gitmodules 2.5 KB d33dfd14 about 22 hours Marc Dequènes switch to PHP FPM
COPYING 34.3 KB 5d76f2d8 over 1 year Marc Dequènes First public version 3.85 KB 6f55d8c4 11 months Marc Dequènes document a better way to access DC's VCS as a c...
mkcert.conf 154 Bytes 5d76f2d8 over 1 year Marc Dequènes First public version
services 347 Bytes e9b7d9a0 12 months Marc Dequènes removed obsolete im_gateway service #2

Latest revisions

# Date Author Comment
26a4d9ad 2019-04-18 13:09 Marc Dequènes extend memory limit

8ebc0d63 2019-04-18 12:18 Marc Dequènes

update submodules

c7ffb59d 2019-04-18 12:17 Marc Dequènes

dc-web: install PHP configuration

3c1ad57f 2019-04-18 09:09 Marc Dequènes

dc_check: fix apt-forktracer call

9665b40c 2019-04-18 08:41 Marc Dequènes

dc-base: add galaxy_info

6f3901d1 2019-04-18 08:41 Marc Dequènes

dc_check: filter apt-forktracer output

f2c3c540 2019-04-18 08:16 Marc Dequènes

web: switch to Apache event MPM

Now that we switched to PHP FPM and do not need mod_php, we can now use
the new MPM.

And since we switched, the hold on apache2 to keep prefork+HTTP2
working is no more necessary.

closes #645

7476bf06 2019-04-18 07:13 Marc Dequènes switch to PHP FPM

55ec75d4 2019-04-18 06:30 Marc Dequènes

dc-web: switch to PHP FPM for status pages

b797580d 2019-04-18 05:29 Marc Dequènes switch to PHP FPM

View all revisions | View revisions

Also available in: Atom