We use Ansible to build and configure our servers.

Our Ansible configuration is stored on Bitbucket (see below for the URL).

The Ansible vault password is stored on the P drive at

 P/Othmer Library/Digital Collections - Internal Access .

Once you check out the above git repository from BitBucket, you'll find a more detailed description of the organization of our Ansible code at

https://bitbucket.org/ChemicalHeritageFoundation/ansible-inventory/src/master/README.md .

See Ansible-Hydra Submodule for details of the submodule we use

See Editing Ansible for notes on current practices for editing.

Building a new machine on AWS with Ansible

Note: ansible-vault password and all current AWS keys are in shared network drive Othmer Library\Digital Collections - Internal Access\Authentication - Confidential
If you do not have access, speak with Michelle about getting added to the allowed group.

Check ansible variables in the encrypted file
1. $ ansible-vault edit group_vars/all (will need password)
2. Look for # Use these temporarily for new instances
  1. RIght now certain values such as fedora_ip, solr_ip, and the rest will need to be determined once the box has been built and a valid IP exists.
  2. Generally speaking the best way to build boxes to minimize needing to go back and edit IPs is
    1. Fedora
    2. Solr
    3. Sufia machines (riiif, app)
3. ensure your ssh key is listed under keys_to_add, this is needed for capistrano deploys and ssh access with your personal account.
run the ansible playbook
1. $ ansible-playbook create_ec2.yml --ask-vault-pass --private-key=/PATH/TO/KEY --extra-vars "role=ROLE tier=SERVICE_LEVEL" --extra-vars "@group_vars/ROLE_SERVICE_LEVEL_override"
  1. Use chf_prod.pem for all production level machines
  2. Use test.pem for all other machines
  3. Select the role and service level of the machine you want to build.
2. OR, if you're re-running scripts on an existing machine:
  1. $ ansible-playbook -i hosts my_playbook.yml --ask-vault-pass [-e hosts=target]
    1. target can be one of the groups in the hosts file: staging, production, dev, ec2hosts
Assign an elastic IP to the new box if if needs one
Consider naming the aws volumes for 'root' and 'data' – this isn't done in the scripts (but probably could be!)
Set up to use capistrano (below) or just deploy with capistrano (above)
Run configure_prod.yml if on production to set up e-mail password resets, ssl, and backup procedures.

Updating boxes with Ansible

New AWS Key

Generate a new ssh key on AWS (EC2 > Keypairs)
1. place it in ~/.ssh
2. chmod 0600.
1. useful command if you're having problems with the key: $ openssl rsa -in chf_prod.pem -check

Git repositories for ansible - structure and use

The code we use to administer Sufia via Ansible lives at https://github.com/curationexperts/ansible-hydra

A wrapper with local configuration lives at https://bitbucket.org/ChemicalHeritageFoundation/ansible-inventory. Wrapper contains:

our hosts file
our group_vars files
ansible-hydra as a git submodule
an ansible.config which points to ansible-hydra for roles_path.
A number of roles and plays for CHF specific customization

Aside: pull requests can be submitted via branches; there's really no need to fork this repo since we'll all be owners.

To use

$ git clone clone git@bitbucket.org:ChemicalHeritageFoundation/ansible-inventory.git
$ cd ansible-inventory
$ git submodule update --init

Subsequently, when you pull ansible-inventory and the submodule has been updated, just run

$ git submodule update

Playbook Notes

configure_prod: Sets up backup (via s3 and postgres roles) for production servers. If the SSL certs are installed (and they should be) it will also set the machine to send secured password reset e-mails. It also adds the secrets data for capistrano. All of this is handled by roles which as of 2/26/16 are fairly atomic but could be trimmed down further.

Ansible