eriol/mornie.org
1
0
Fork 0
Code

Compare commits

base: eriol:158368179d7d96a0eea3c73b71540be8948e196c
Branches Tags
eriol:main
...
compare: eriol:16ab6aa7f79e1b8108fed4eb3619b048c3acf8bf
Branches Tags
eriol:main

2 commits
158368179d ... 16ab6aa7f7

Author SHA1 Message Date
Daniele Tricoli 16ab6aa7f7 Add post: My first minutes on personal servers
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-02-13 19:30:41 +01:00
Daniele Tricoli 24d443a1a9 Show drafts during development 2021-02-13 19:30:07 +01:00
2 changed files with 88 additions and 1 deletions
Show stats Expand all files Collapse all files

2
Makefile
View file

@ -7,4 +7,4 @@ clean:
rm -rf public
serve:
@zola serve
@zola serve --drafts

87
content/blog/my-first-minutes-personal-servers.md Normal file
View file

@ -0,0 +1,87 @@
+++
date = 2021-02-13 16:21:45+01:00
title = "My first minutes on personal servers"
[taxonomies]
tags = ["ansible", "automation", "sysadmin"]
+++
Almost a year ago I decided to migrate to a new VPS provider but I wanted to
reduce the effort required to setup and maintain it.
I started to learn and use ansible and I developed a personal [collection of
roles](https://noa.mornie.org/eriol/ansible-collection-kit). Since ansible 2.10
you don't need to use [Ansible Galaxy](https://galaxy.ansible.com/), you can
just install it from git: this is great because I'm trying to stop using
services that can't be self-hosted and Ansible Galaxy need a Github account to
login.
To install my collection I just add the following stanza into
`requirements.yml`:
```yaml
---
collections:
- name: https://noa.mornie.org/eriol/ansible-collection-kit
type: git
version: 0.2.5
```
and then:
```shell
ansible-galaxy collection install -f -r requirements.yml
```
I use the `-f` to handle the upgrade of the collection since it's easier to
just recall the command from history, but from ansible-base 2.11 [it will not
be required anymore](https://github.com/ansible/ansible/issues/65699).
## Security is hard
A little but **important** digression before continuing. I used the word
**personal** on purpose on the title of this post. It's not to say that on a
personal server/service you can have a lower standard regarding security.
It's to say that security is built around the applications that the system
support and context. For example, on my personal VPS I'm the **only** user.
This is a **huge** assumption and simplify a lot of things like accountability.
Keep in mind this if you want to use my collection.
## How I bootstrap a new server
I have the following playbook `server-bootstrap.yml` with the common part:
```yaml
---
- name: bootstrap operations for a new server
hosts: "{{ hostlist | default('bootstrapable') }}"
roles:
- eriol.kit.common
- eriol.kit.hostname
- eriol.kit.admin
- {role: eriol.kit.nftables, when: not is_docker_used}
- {role: eriol.kit.iptables, when: is_docker_used}
- eriol.kit.sshd
- eriol.kit.fail2ban
```
I keep all the servers in a `bootstrapable` group so I can just execute
`server-bootstrap.yml` playbook, but if I want a specific playbook for a server
I do:
```yaml
---
- name: import the common server part
vars:
hostlist: example.org
import_playbook: server-bootstrap.yml
- name: stuff for example.org
hosts: example.org
roles:
- # YOUR ROLES HERE
```
This way I don't have to write down the common part. All the variables are
inside the inventory split between groups variables and specific hosts
variables to make the playbooks generic.