-
lack of use of
validate. Ansible will allow you to call a command, validating the task that was just done. We don't do that enough. -
SSHd added support for the "Include" statement within /etc/ssh/sshd_config in version 8.2. That is in testing but not buster-backports. In the meantime we just mutate the SSHd configure in multiple places. It is a bit fragile and we should go back to ".d" config when 8.2 lands in backports.
-
avena-ca: Don't resign host key unless expiration is near?
In a default deploy, both Wireguard and Docker use local networks in the private IP range. You must be sure to not allow those networks to overlap with any physical network's IP range. For example, the 10.0.0.0/8 range is often used in modern WiFi networks and should be avoided in Wireguard and Docker.
- Set
ansible_hostto the desired wireguard network IP.
NOTE: We can (and probably should) use vault for this as well.
All things secret to your deploy needs to be written in a protected file. We
suggest you use ansible-vault to protect the secrets and commit it to a
private repository for safe keeping ($ ansible-vault create secrets.yml).
Currently the secrets that need to be defined are:
ansible_become_pass-- The password used when Ansible tries to become root. Effectively the password of theremote_useraccount.
-
Prefer
templatesoverlineinfileorblockinfile.Rendering the entire file at once avoids many idempotent bugs. The "core" Avena roles should exclusively use
templates, refactoring the roles as needed.lineinfile,blockinfile, etc. should be used by Avena extensions which need to modify a core file. Take advantage of Debian ".d" directories when possible. Never modify a Debian default file when there is a ".d" directory available.