| [14909] | 1 | ============================================= |
|---|
| 2 | Playbooks for administrating WAeUP servers. |
|---|
| 3 | ============================================= |
|---|
| 4 | |
|---|
| 5 | This is the fine manual to survive basic setup of vagrant workers. |
|---|
| 6 | |
|---|
| 7 | |
|---|
| 8 | Setup a box and start it |
|---|
| 9 | ======================== |
|---|
| 10 | |
|---|
| 11 | Become `vhosts` user on ``h8``. Then, create a home for the new VM and create a |
|---|
| 12 | first Vagrantfile. For the latter use existing instances as template.:: |
|---|
| 13 | |
|---|
| 14 | vhosts@h8 $ mkdir vhost23 |
|---|
| 15 | vhosts@h8 $ cp vhost22/Vagrantfile vhost23/ |
|---|
| 16 | vhosts@h8 $ cd vhost23 |
|---|
| 17 | |
|---|
| 18 | Edit the new Vagrantfile and set virtual ip and SSH port to some yet unused |
|---|
| 19 | value. Also set the hostname to ``v23`` / ``v23.waeup.org`` respectively. |
|---|
| 20 | Ensure, that for now all public IPs and port forwardings are commented out (as |
|---|
| 21 | SSH on the new box is yet unsecured):: |
|---|
| 22 | |
|---|
| 23 | vhosts@h8/vhost23 $ vim Vagrantfle |
|---|
| 24 | |
|---|
| 25 | Then, start the new VM:: |
|---|
| 26 | |
|---|
| 27 | vhosts@h8/vhost23 $ vagrant up |
|---|
| 28 | |
|---|
| 29 | and look out for the portnumber on which the new box is reachable from the |
|---|
| 30 | remote host. This will normally be 2222. |
|---|
| 31 | |
|---|
| 32 | |
|---|
| 33 | Enable SSH-key login from remote |
|---|
| 34 | ================================ |
|---|
| 35 | |
|---|
| 36 | First create a new key for you:: |
|---|
| 37 | |
|---|
| 38 | uli@home $ ssh-keygen -t ed25519 -C "uli@home to v23.waeup.org" -f ~/.ssh/idv23 |
|---|
| 39 | |
|---|
| 40 | and register the new key in SSH config (`~/.ssh/config`:: |
|---|
| 41 | |
|---|
| 42 | Host v23 v23.waeup.org |
|---|
| 43 | Hostname h8.waeup.org |
|---|
| 44 | User ubuntu |
|---|
| 45 | Port 2323 |
|---|
| 46 | IdentityFile /home/uli/.ssh/id_v23 |
|---|
| 47 | IdentitiesOnly yes |
|---|
| 48 | |
|---|
| [15262] | 49 | Again, please use the really used values, especially for the port number (must |
|---|
| 50 | be unique for each vhost) and User ("ubuntu" for vhosts running Ubuntu 16.04, |
|---|
| 51 | "vagrant" else). |
|---|
| [14909] | 52 | |
|---|
| 53 | The generated *public* key from `/home/uli/.ssh/id_v23.pub` can now be appended |
|---|
| 54 | to the new vagrant box in three steps:: |
|---|
| 55 | |
|---|
| 56 | # 1 - copy to host server |
|---|
| 57 | uli@home $ scp ~/.ssh/id_v23.pub h8:/home/uli |
|---|
| 58 | # 2 - copy to vagrant box |
|---|
| 59 | vhosts@h8 $ cp /home/uli/id_v23.pub ~/vhost23/ |
|---|
| 60 | vhosts@h8 $ cd ~/vhost23/ |
|---|
| 61 | # 3 - in vagrant box append to authorized_keys |
|---|
| 62 | vhosts@h8 $ vagrant ssh |
|---|
| 63 | ubuntu@v23 $ cat /vagrant/id_v23.pub >> ~/.ssh/authorized_keys |
|---|
| 64 | |
|---|
| 65 | Now you should be able to login from home into the remote vagrant box. |
|---|
| 66 | |
|---|
| 67 | To test this, we try to connect from home to the remove vhost, but, as we yet |
|---|
| 68 | have not secured SSH access, only through a tunnel that connects the remote |
|---|
| 69 | localhost:2222 to our home localhost:3333.:: |
|---|
| 70 | |
|---|
| 71 | uli@home $ ssh -L 3333:localhost:2222 uli@h8.waeup.org |
|---|
| 72 | |
|---|
| 73 | leave that shell open until we are done and make sure (in another terminal) |
|---|
| 74 | that we have something listening on the given port (here: 3333). In the next |
|---|
| 75 | step we will have to use that tunnel for first configuration steps. |
|---|
| 76 | |
|---|
| 77 | |
|---|
| 78 | Run ``vhost-bootstrap.yml`` |
|---|
| 79 | =========================== |
|---|
| 80 | |
|---|
| [15915] | 81 | In ``hosts`` add the new box in the ``[yet_untouched]`` section:: |
|---|
| [14909] | 82 | |
|---|
| [15915] | 83 | [yet_untouched] |
|---|
| [14909] | 84 | localhost:3333 ansible_user=ubuntu |
|---|
| 85 | |
|---|
| 86 | and run the playbook:: |
|---|
| 87 | |
|---|
| 88 | uli@home $ ansible-playbook -b -i hosts --private-key ~/.ssh/id_v23 vhost-bootstrap.yml |
|---|
| 89 | |
|---|
| 90 | This should secure the new box. From now on, we can connect via the regular |
|---|
| [15915] | 91 | ways. You can quit the open shell now and remove the ``[yet_untouched]`` entry |
|---|
| [14909] | 92 | in ``hosts``. |
|---|
| 93 | |
|---|
| 94 | Instead make a new entry in ``[bootstrapped]``:: |
|---|
| 95 | |
|---|
| 96 | # hosts |
|---|
| [15915] | 97 | [yet_untouched] |
|---|
| [14909] | 98 | |
|---|
| 99 | [bootstrapped] |
|---|
| 100 | # ... |
|---|
| 101 | v23.waeup.org:2342 ansible_user=ubuntu |
|---|
| 102 | |
|---|
| 103 | # .... |
|---|
| 104 | |
|---|
| 105 | using the port number and hostname you plan to assign to the new box. |
|---|
| 106 | |
|---|
| 107 | |
|---|
| 108 | Make New Box Publicly Visible |
|---|
| 109 | ============================= |
|---|
| 110 | |
|---|
| 111 | As user `vhosts` edit the remote `Vagrantfile` and enable the settings of |
|---|
| 112 | ``private_network`` and ``forwarded_port``. Then, reload:: |
|---|
| 113 | |
|---|
| 114 | vhosts@h8 $ vagrant reload |
|---|
| 115 | |
|---|
| 116 | Ensure, you can connect to the new box via the official hostname used:: |
|---|
| 117 | |
|---|
| 118 | uli@home $ ssh v23.waeup.org |
|---|
| 119 | |
|---|
| 120 | There will be warnings about changed host keys the first time you try to |
|---|
| 121 | reconnect. Edit `known_hosts` accordingly and retry until you can SSH-connect |
|---|
| 122 | to the new box without any problems. |
|---|
| 123 | |
|---|
| 124 | |
|---|
| 125 | Run ``vhost-setup.yml`` on the New Box |
|---|
| 126 | ====================================== |
|---|
| 127 | |
|---|
| 128 | This is easy now: |
|---|
| 129 | |
|---|
| 130 | uli@home $ ansible-playbook -b -i hosts -l v23.waeup.org setup.yml |
|---|
| 131 | |
|---|
| 132 | |
|---|
| 133 | Finishing |
|---|
| 134 | ========= |
|---|
| 135 | |
|---|
| 136 | Finally, please move the hosts entry of the new box from the ``[bootstrapped]`` |
|---|
| 137 | section over to the ``[[vhosts]`` section. |
|---|
