This is the root of the DuckCorp Admin Team materials used to install, configure and manage services.
DuckCorp is commited to Free Software, thus all materials are published under the GPL v3 License (see details of the license in the
All sensitive materials are encrypted, read the
Dealing with Secrets chapter to know more about this.
Configuration Management & Deployment
We use Ansible to help us automate as much as possible; you'll find more about it in the
Still, many things are handled manually, this is WIP.
Our TLS certificates are managed using mkcert. The
mkcert.conf file holds the DuckCorp-specific configuration, and
services contains the specific service names not in
/etc/services. The keys configuration and resulting certificates are stored in the
With this layout,
mkcert can be run in-place (at the top-level of this repository), automagically finding its configuration and work directories.
scripts directory are the following scripts:
adm_check_*: this series of scripts check various resources hosted by DuckCorp against the outside world to see if there is any misconfiguration or if the hosting became obsolete (without the user telling us, which happen very often…)
adm_publish_tlsa: compute TLSA DNS RR for DNSSEC-enabled DNS zones based on the available TLS certificates
check_certs_expiration: warn when certificates are nearly expired (or already expired)
They are meant to be run in-place from the top of this repository. The
lib subdirectory contains code factorized between the scripts.
The admin-oriented documentation can be found alongside the other materials, but for some topics we might write a dedicated explanation and store it in the
For Admin Team Members
You need to set the ANSIBLE_VAULT_PASSWORD_FILE environment variable with the path to the password file.
First, clone [the repository](ssh://vcs-git.duckcorp.org/srv/vcs/git/duckcorp/duckcorp-infra.git). You should probably have a look at the
Requirements in the underlying directories too.
- Always create a merge commit : $ git config --local merge.ff false
- Allow fast-forward merges when using pull : $ git config --local pull.ff only
- All commits must be GPG signed : $ git config --local commit.gpgSign true
Dealing with Secrets
We use Ansible Vault to hide some parameters like service credentials, user personal information or emails to avoid SPAM.
To make it easy git attributes are defined to make diff-ing and merging easy.
Your configuration needs to be enhanced to tel git how to handle these files. This is very easy, look at this URL for more info:
When merging a branch, use
--verify-signatures switch. If this fails, then DO NOT MERGE!!!
When adding submodule, please use the HTTPs URL to allow contributors to clone. Also use
--name to set the submodule name or the path is taken by default. Then, you can ask git to automatically rewrite the URL to the right form with this command:
git config --global url.ssh://vcs-git.duckcorp.org/srv/vcs/git/.insteadOf https://vcs-git.duckcorp.org/
For External Contributor
You're welcome to contribute ideas, report problems, send patches… using our Ticket Tracker (in the