diff --git a/01_infra_setup.md b/01_infra_setup.md index b34549e..f023578 100644 --- a/01_infra_setup.md +++ b/01_infra_setup.md @@ -18,22 +18,23 @@ This describes how to prepare each machine before deploying services on them. * Getting and configuring the domain is outside the scope of this repo. Whenever a service needs you to set up a subdomain, it will be mentioned explictly. * You should add the domain to the var `root_domain` in `ansible/infra_vars.yml`. -## Prepare the VPS (Vipy) +## Prepare the VPSs (vipy and watchtower) -### Source the VPS +### Source the VPSs * The guide is agnostic to which provider you pick, but has been tested with VMs from https://99stack.com and contains some operations that are specifically relevant to their VPSs. * The expectations are that the VPS ticks the following boxes: + Runs Debian 12 bookworm. + Has a public IP4 and starts out with SSH listening on port 22. + Boots with one of your SSH keys already authorized. If this is not the case, you'll have to manually drop the pubkey there before using the playbooks. -* Move on once your VPS is running and satisfies the prerequisites. +* You will need two VPSs: one to host most services, and another tiny one to monitor Uptime. We use two to prevent the monitoring service from falling down with the main machine. +* Move on once your VPSs are running and satisfies the prerequisites. ### Prepare Ansible vars -* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPS. +* You have an example `ansible/example.inventory.ini`. Copy it with `cp ansible/example.inventory.ini ansible/inventory.ini` and fill in with the values for your VPSs. `[vipy]` is the services VPS. `[watchtower]` is the watchtower VPS. * A few notes: - * The guides assume you'll only have one VPS in the `[Vipy]` group. Stuff will break if you have multiple, so avoid that. + * The guides assume you'll only have one VPS in the `[vipy]` group. Stuff will break if you have multiple, so avoid that. ### Create user and secure VPS access @@ -42,4 +43,4 @@ This describes how to prepare each machine before deploying services on them. * Run `ansible-playbook -i inventory.ini infra/01_user_and_access_setup_playbook.yml -e 'ansible_user="your root user here"'` * Then, configure firewall access, fail2ban and auditd with `ansible-playbook -i inventory.ini infra/02_firewall_and_fail2ban_playbook.yml`. Since the user we will use is now present, there is no need to specify the user anymore. -Note that, by applying this playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth. \ No newline at end of file +Note that, by applying these playbooks, both the root user and the `counterweight` user will use the same SSH pubkey for auth. \ No newline at end of file diff --git a/ansible/example.inventory.ini b/ansible/example.inventory.ini index 605b476..cb24bbf 100644 --- a/ansible/example.inventory.ini +++ b/ansible/example.inventory.ini @@ -1,6 +1,9 @@ [vipy] your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key +[watchtower] +your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key + # Local connection to laptop: this assumes you're running ansible commands from your personal laptop # Make sure to adjust the username [lapy] diff --git a/ansible/infra/01_user_and_access_setup_playbook.yml b/ansible/infra/01_user_and_access_setup_playbook.yml index a812242..9a01664 100644 --- a/ansible/infra/01_user_and_access_setup_playbook.yml +++ b/ansible/infra/01_user_and_access_setup_playbook.yml @@ -1,5 +1,5 @@ - name: Secure Debian VPS - hosts: vipy + hosts: vipy,watchtower vars_files: - ../infra_vars.yml become: true diff --git a/ansible/infra/02_firewall_and_fail2ban_playbook.yml b/ansible/infra/02_firewall_and_fail2ban_playbook.yml index d6abd95..4cceaf7 100644 --- a/ansible/infra/02_firewall_and_fail2ban_playbook.yml +++ b/ansible/infra/02_firewall_and_fail2ban_playbook.yml @@ -1,5 +1,5 @@ - name: Secure Debian VPS - hosts: vipy + hosts: vipy,watchtower vars_files: - ../infra_vars.yml become: true diff --git a/ansible/services/caddy_playbook.yml b/ansible/services/caddy_playbook.yml index e422c78..4edfd5f 100644 --- a/ansible/services/caddy_playbook.yml +++ b/ansible/services/caddy_playbook.yml @@ -1,5 +1,5 @@ - name: Install and configure Caddy on Debian 12 - hosts: vipy + hosts: vipy,watchtower become: yes tasks: diff --git a/ansible/services/uptime_kuma/deploy_uptime_kuma_playbook.yml b/ansible/services/uptime_kuma/deploy_uptime_kuma_playbook.yml index f7fe4b9..86a06b3 100644 --- a/ansible/services/uptime_kuma/deploy_uptime_kuma_playbook.yml +++ b/ansible/services/uptime_kuma/deploy_uptime_kuma_playbook.yml @@ -1,5 +1,5 @@ - name: Deploy Uptime Kuma with Docker Compose and configure Caddy reverse proxy - hosts: vipy + hosts: watchtower become: yes vars_files: - ../../infra_vars.yml diff --git a/ansible/services/uptime_kuma/uptime_kuma_vars.yml b/ansible/services/uptime_kuma/uptime_kuma_vars.yml index eb235d6..ad63490 100644 --- a/ansible/services/uptime_kuma/uptime_kuma_vars.yml +++ b/ansible/services/uptime_kuma/uptime_kuma_vars.yml @@ -8,7 +8,7 @@ caddy_sites_dir: /etc/caddy/sites-enabled uptime_kuma_subdomain: uptime # Remote access -remote_host: "{{ groups['vipy'][0] }}" +remote_host: "{{ groups['watchtower'][0] }}" remote_user: "{{ hostvars[remote_host]['ansible_user'] }}" remote_key_file: "{{ hostvars[remote_host]['ansible_ssh_private_key_file'] | default('') }}"