ansible: rocky firewall (#635)

* modify the template file to highlight optional host that stores WAC files * numerically reorder the tcp ports - fix the 404's on the documentation * add a configuration file - this allows automatic selection of inventory directory * provide better examples on documentation
2023-02-24 20:28:21 -05:00 · 2023-02-24 20:28:21 -05:00 · 3ba77f0ed2
commit 3ba77f0ed2
parent 413fd8d7ea
5 changed files with 18 additions and 11 deletions
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -0,0 +1,3 @@
+[defaults]
+host_key_checking = False
+inventory = ./inventory
--- a/ansible/group_vars/microk8s/btrix_values.j2
+++ b/ansible/group_vars/microk8s/btrix_values.j2
@ -10,6 +10,7 @@ ingress:
  scheme: "https"
  tls: true

+# optional second-host for signing archives
 signer:
  enabled: true
-  host: "signing.microk8s.browsertrix.cloud"
+  host: "second-host.{{ domain }}"
--- a/ansible/playbooks/install_microk8s.yml
+++ b/ansible/playbooks/install_microk8s.yml
@ -65,14 +65,14 @@
      immediate: true
      state: enabled
    loop:
-      - 16443/tcp
      - 10250/tcp
      - 10255/tcp
-      - 25000/tcp
-      - 12379/tcp
      - 10257/tcp
      - 10259/tcp
+      - 12379/tcp
+      - 16443/tcp
      - 19001/tcp
+      - 25000/tcp
      - 4789/udp
    when:
      - ansible_os_family == "RedHat"
--- a/chart/examples/microk8s-hosted.yaml
+++ b/chart/examples/microk8s-hosted.yaml
@ -28,10 +28,12 @@

 ingress:
  # required: set host to use tls
-  # host: "..."
+  # uncomment and replace example below with your registered domain
+  # host: "yourdomain.org"

  # required: set email to use tls
-  #cert_email: "..."
+  # uncomment and replace example below with your valid email address
+  #cert_email: "you@yourdomain.org"

  scheme: "https"
  tls: true
@ -43,14 +45,15 @@ ingress_class: "public"
 signer:
  enabled: true

-  # host: ...
+  # uncomment and replace example below with your registered domain
+  # host: "second.yourdomain.org"


 # optionally, override default mongodb auth, used for all data storage:

 #mongo_auth:
-  #username: root
-  #password: PASSWORD!
+  # username: root
+  # password: PASSWORD!
  

 # optionally, set these to custom values
--- a/docs/deploy/production.md
+++ b/docs/deploy/production.md
@ -3,7 +3,7 @@
 For production and hosted deployments (both on a single machine or in the cloud), the only requirement is to have a designed domain
 and (strongly recommended, but not required) second domain for signing web archives. 

-We are also experimenting with [Ansible playbooks](./ansible) for cloud deployment setups.
+We are also experimenting with [Ansible playbooks](../deploy/ansible) for cloud deployment setups.

 The production deployments also allow using an external mongodb server, and/or external S3-compatible storage instead of the bundled minio.

@ -12,7 +12,7 @@ The production deployments also allow using an external mongodb server, and/or e

 For a single-machine production deployment, we recommend using microk8s.

-1. Install MicroK8S, as suggested in [the local deployment guide](./local) and ensure the `ingress` and `cert-manager` addons are also enabled.
+1. Install MicroK8S, as suggested in [the local deployment guide](../deploy/local.md) and ensure the `ingress` and `cert-manager` addons are also enabled.

 2. Copy `cp ./chart/examples/microk8s-hosted.yaml ./chart/my-config.yaml` to make local changes.