This project provides scripts for creating and configuring GovStack sandbox environments.
We use Ansible for scripting and Digital Ocean for hosting. These Ansible scripts borrow from ssdnodes-ansible-provision
See the Functional demo sandbox tasks for more details on this project.
- Ensure you have an Ansible Control Node, e.g. ansible.egovstack.net on Digital Ocean.
- Check out a copy of this repo on the control node. We suggest creating unique forks/branches to track changes and regularly committing/pushing them to track configuration changes over time.
- Copy
vars_with_secret_example.ymltovars_with_secret.yml. It contains shared secrets used across scripts.
- Edit
digital_ocean_tokeninvars_with_secret.ymlto include your API Token and SSH keys for access. To create a Digital Ocean API token, see API -> Tokens/Keys -> Generate New Token. Be sure to create tokens with read/write privileges. - Edit
ssh_key_fingerprintinvars_with_secret.ymlto include the fingerprint of the Digital Ocean SSH key to be added to new droplets. You can add a new SSH key, or use the existinghost@ansibleSSH key in Digital Ocean. To get the fingerprint of an existing SSH key for an existing Digital Ocean SSH key, see your team's security settings, e.g. Account Settings -> Security -> SSH Keys. - Edit the hosts file to include your new droplets. Droplets of the same type should have the same prefix, e.g.:
...
#eregistration
[ereg]
er1.egovstack.net
er2.egovstack.net
...
NOTE: hostnames must include a number, e.g. er1
- Edit
digitalocean.ymlto include the correct starting image and droplet type, e.g.:
droplet_image:
er: ubuntu-18-04-x64
droplet_size:
er: s-2vcpu-4gb
- Use the
digitalocean.ymlAnsible script to create all droplets:
$ ansible-playbook -i ./hosts digitalocean.yml
- Use the
drop.ymlAnsible script to destroy droplets.
$ ansible-playbook -i ./hosts drop.yml
Note that you may need to run this multiple times to remove all subdomains...
- Add known hosts to all droplets:
$ ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook -i hosts store_known_hosts.yml
NOTE: if this script fails for any reason, you likely need to clean references to old hosts from the ~/.ssh./known_hosts file on the Ansible Control Node.
If you see an error like dig +short er3.egovstack.net you likely need to wait a minute for the DNS update from digitalocean.yml to propagate.
- This playbook creates non-root user, updates packages, configures SSH access, and generates LetsEncrypt certificates for all droplets. On
ansible.egovstack.net, hit<enter>for the forstSSH password:prompt. Usepasswordfromvars_with_secret.ymlfor theBECOME password[defaults to SSH password]:prompt. :
$ ansible-playbook -i hosts -k provision.yml --ask-become-pass
- OPTIONAL: Reboot all droplets. On
ansible.egovstack.net, usepasswordfromvars_with_secret.ymlfor theBECOME password:prompt:
$ ansible --ask-become-pass -i hosts -b -m reboot all
See Installing X-Road on DigitalOcean for more details on how to set up the XRoad as an Information Mediator.
- Set up eregistration:
$ ansible-playbook -i hosts -k ereg_coresystem.yml --ask-become-pass
-
Wait several minutes for everything to start up. You can ssh into the host to debug, e.g. from ansible.egovstack.net run
host@ansible:~/wkd/ereg$ ssh root@er3.egovstack.net. It may be helpful to reboot the host a few times and runtopordocker psto see which processes are healthy. -
Ensure keycloak has started up completely, then comment out
KEYCLOAK_USER=$KEYCLOAK_ADMIN_USERandKEYCLOAK_PASSWORD=$KEYCLOAK_ADMIN_USER_PASSWORDin the docker compose, e.g.# vim /opt/eregistrations/compose/eregistrations/docker-compose.ymlfollowed bydocker-compose up -d keycloak