This repository contains code and documentation for configuring infrastructure managed by the NYC Planning Labs team. The parts that get modified most frequently:
playbooks/
: Ansible playbooks to configure DigitalOcean Droplets. Explanations of the playbooks below.roles/internal/
: Custom Ansible roles for code shared across playbooksrequirements.yml
: List of third-party Ansible roles, which get installed toroles/external/
.circleci/config.yml
: Configuration for continuous integration/deployment with CircleCI
- DigitalOcean dashboard (restricted)
- Security/devops planning board
-
Install dependencies.
-
Python 3
-
NOTE: You may need to install certificates to avoid an SSL error:
sudo /Applications/Python\ 3.6/Install\ Certificates.command
-
-
-
Install Ansible and its dependencies.
pipenv install pipenv run ansible-galaxy install -p roles/external -r requirements.yml
To run against a live server:
-
Do the one-time credential setup.
-
Create a DigitalOcean token with read access.
-
Save your token to a
digital_ocean.ini
configuration file.[digital_ocean] api_token=TOKEN
-
-
Enable the virtualenv.
pipenv shell
-
Set the Digital Ocean environment variable. This is required because Digital Ocean modules can't read from the
digital_ocean.ini
file.export $(./digital_ocean.py --env)
-
Run one of the playbooks. You will use
root
as theUSER
on the first run and your GitHub username on subsequent runs, asroot
access gets removed.
Any of these can be done as a "dry run" by adding --check
to the end of the command.
Examples of running playbooks for different scenarios:
-
Test connectivity to the Droplets tagged with
labs
.ansible labs -i digital_ocean.py -u USER -m command --args uptime
-
Configure a Droplet with the real Ansible playbook.
ansible-playbook -i digital_ocean.py -u USER -l DROPLET_NAME playbooks/base.yml
-
Configure all
labs
Droplets with the real Ansible playbook.ansible-playbook -i digital_ocean.py -u USER -l labs playbooks/base.yml
- Have them add their SSH key to their GitHub account.
- Add GitHub username to the
users
variable in the variables file. - Run the base playbook. See examples above.
- Move username from the
users
toformer_users
variable in the variables file. - Run the base playbook. See examples above.
Every server/Droplet should:
- Use an Ubuntu LTS as the operating system, unless there's a good reason to use something else
-
Why
Consistency
-
- Be tagged with
labs
- Use a floating IP
-
Why
So that the server can be replaced without modifying DNS, if need be - ...especially if a
*.planning.nyc.gov
domain is going to be pointed at it
-
- Have a Cloud Firewall enabled
-
Why
To avoid unwanted traffic - Use as restrictive of rules as possible
- Use private networking where possible
-
- Have backups enabled. The script won't run correctly if backups aren't enabled, because it will fail when it tries to backup and the rest of the script won't run.
- Have an Ansible playbook with the
common
role - Have the services/containers/etc. start properly after machine reboot
-
Why
Services/machines need to be rebooted occassionally for things like upgrades, and this will make the recovery afterwards as smooth as possible - This needs to be tested manually
-
Be careful not to check secrets into this repository.