- ansible: Provisioning of wordspeak webserver and home firewall
- packer: Creation of OpenBSD virtualbox images
- vagrant: Vagrantfiles for each type of machine
Creation of virtualbox images is done via packer.
- Setup or review the file (the varfile) containing the private packer variables (
ssh_private_key_file
,ssh_public_key_str
,root_bcrypt_hash
) - cd ~/Code/setup-scripts/packer
packer build -var-file=<path-to-varfile> openbsd.json
- The ovf and vmdk files will be found in the
output_directory
specified in the openbsd.json file. Take note of the path to the ovf file that's been created, as it is necessary below. cd
into a directory under vagrant, that defines the type of machine that you want, and look at theconfig.vm.box
. Vagrant won't pull in the machine that you've just built if it's already been important. Ifvagrant box list
shows a box with the same name as theconfig.box.vm
directive in theVagrantfile
then runvagrant box delete <name-of-box>
- run
vagrant up
- If you haven't done a DHCP mapping, find the new IP address on the DHCP server (look for recent DHCPACK log line in
/var/log/daemon
if it's OpenBSD) - Login as root, using the private key associated with the
ssh_private_key_file
that was used in the packer setup phase
OpenBSD requires hand-installation on cloud providers, and vagrant images so we install ourselves.
- do install from CD,
- setup all network interfaces
- do not setup a user
- start ssh and allow root login with 'prohibit-password'
- selecting correct timezone
- default disk layout
- all packages (for simplicity)
- reboot
- add root
.ssh/authorized_keys
via console.ssh
directory is 600authorized_keys
is 600
Once the base operating system has been setup, we do further setup using ansible.
Assumes that your default ssh public key is installed on the server under
the account that you'll be using for provisioning (root), or that you provide
a different key to ansible with --private-key=PRIVATE_KEY_FILE
workon ansible
(the virtualenv should already exist from previous work)cd ~/Code/setup-scripts/ansible
- Replace the host in
hosts
with the IP address of the newly provisioned host, placing it in the group section that corresponds to the--limit
argument used in theansible-playbook
commands for the appropriate type of VM install cd ~/Code/local/startssl; ./make_bundles.sh
(if deploying a webserver)
Note that it's not possible to test ansible connectivity on OpenBSD hosts until they have a python interpreter, which is the first step in the common playbook.
The default architecture is openbsd-amd64
and if the installation machine is
another architecture, create a file under host_vars
with a PKG_PATH
definition with the appropriate architecture specified e.g.
PKG_PATH: 'http://mirror.internode.on.net/pub/OpenBSD/5.9/packages/powerpc/'
In the ansible
directory at the same level as this README.md
file run:
ansible-playbook -u root -i hosts --limit <limit-criteria> site.yml
Where the limit criteria is something like:
- 192.168.56.101 (an IP address)
- webservers (a single group name)
- 'webservers:&192.168.56.101' (the union of a group and an IP address)
- Logon to the VM to perform the rest of the steps
- Update
/etc/hosts
to have FQDN for host, and short and FQDN for any sites that the machine will serve cd ~/Code && git clone [email protected]:edwinsteele/dotfiles.git
cd ~/Code/dotfiles && ./make.sh
doas acme-client -vbNn wordspeak.org www.wordspeak.org staging.wordspeak.org origin.wordspeak.org gemini.wordspeak.org language-explorer.wordspeak.org
cd ~/Code/wordspeak.org && /home/esteele/.virtualenvs/wordspeak_n7/bin/fab build staging_sync
(for webserver)