personal_infra/01_infra_setup.md

# 01. Infra Setup

This describes how to prepare each machine before deploying services on them.

## 01.01 First steps

* Create an ssh key or pick an existing one. We'll refer to it as the `personal_ssh_key`.
* Deploy ansible on the laptop (Lapy), which will act as the ansible control node. To do so:
  * Create a `venv`: `python3 -m venv venv`
  * Activate it: `source venv/bin/activate`
  * Install the listed ansible requirements with `pip install -r requirements.txt`
* Keep in mind you should activate this `venv` from now on when running `ansible` commands.

## 01.02 Prepare the VPS (Vipy)

### 01.02.01 Source the VPS

* The guide is agnostic to which provider you pick, but has been tested with VMs from https://lnvps.net.
* The expectations are that the VPS ticks the following boxes:
  + Runs Debian 12 bookworm.
  + Has a public IP4 and starts out with SSH listening on port 22.
  + Boots with one of your SSH keys already authorized.
* Move on once your VPS is running.

### 01.02.02 Prepare Ansible vars

* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPS.

### 01.02.03 Create user and secure VPS access

* Ansible will create a user on the first playbook `01_basic_vps_setup_playbook.yml`. This is the user that will get used regularly. But, since this user doesn't exist, you obviosuly need to first run this playbook from some other user. We assume your VPS provider has given you a root user, which is what you need to define as the running user in the next command.
* cd into `ansible`
* Run `ansible-playbook -i inventory.ini infra/01_user_and_access_setup_playbook.yml -e 'ansible_user="your root user here"'
* Then, configure firewall access, fail2ban and auditd with `ansible-playbook -i inventory.ini infra/02_firewall_playbook.yml`

Note that both the root user and the `counterweight` user will use the same SSH pubkey for auth.
wip 2025-07-01 10:39:01 +02:00			`# 01. Infra Setup`

			`This describes how to prepare each machine before deploying services on them.`

			`## 01.01 First steps`

			* Create an ssh key or pick an existing one. We'll refer to it as the `personal_ssh_key`.
thingies 2025-07-01 16:14:44 +02:00			`* Deploy ansible on the laptop (Lapy), which will act as the ansible control node. To do so:`
			* Create a `venv`: `python3 -m venv venv`
			* Activate it: `source venv/bin/activate`
			* Install the listed ansible requirements with `pip install -r requirements.txt`
			* Keep in mind you should activate this `venv` from now on when running `ansible` commands.
wip 2025-07-01 10:39:01 +02:00
			`## 01.02 Prepare the VPS (Vipy)`

			`### 01.02.01 Source the VPS`

			`* The guide is agnostic to which provider you pick, but has been tested with VMs from https://lnvps.net.`
			`* The expectations are that the VPS ticks the following boxes:`
			`+ Runs Debian 12 bookworm.`
			`+ Has a public IP4 and starts out with SSH listening on port 22.`
			`+ Boots with one of your SSH keys already authorized.`
			`* Move on once your VPS is running.`

			`### 01.02.02 Prepare Ansible vars`

thingies 2025-07-01 16:14:44 +02:00			* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPS.
wip 2025-07-01 10:39:01 +02:00
thingies 2025-07-01 16:14:44 +02:00			`### 01.02.03 Create user and secure VPS access`
wip 2025-07-01 10:39:01 +02:00
thingies 2025-07-01 16:14:44 +02:00			* Ansible will create a user on the first playbook `01_basic_vps_setup_playbook.yml`. This is the user that will get used regularly. But, since this user doesn't exist, you obviosuly need to first run this playbook from some other user. We assume your VPS provider has given you a root user, which is what you need to define as the running user in the next command.
			* cd into `ansible`
			* Run `ansible-playbook -i inventory.ini infra/01_user_and_access_setup_playbook.yml -e 'ansible_user="your root user here"'
			* Then, configure firewall access, fail2ban and auditd with `ansible-playbook -i inventory.ini infra/02_firewall_playbook.yml`

			Note that both the root user and the `counterweight` user will use the same SSH pubkey for auth.