From 3ba77f0ed24b8820414ed4fbec1d4923597ae10f Mon Sep 17 00:00:00 2001 From: Francis Kayiwa Date: Fri, 24 Feb 2023 20:28:21 -0500 Subject: [PATCH] ansible: rocky firewall (#635) * modify the template file to highlight optional host that stores WAC files * numerically reorder the tcp ports - fix the 404's on the documentation * add a configuration file - this allows automatic selection of inventory directory * provide better examples on documentation --- ansible/ansible.cfg | 3 +++ ansible/group_vars/microk8s/btrix_values.j2 | 3 ++- ansible/playbooks/install_microk8s.yml | 6 +++--- chart/examples/microk8s-hosted.yaml | 13 ++++++++----- docs/deploy/production.md | 4 ++-- 5 files changed, 18 insertions(+), 11 deletions(-) create mode 100644 ansible/ansible.cfg diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 00000000..ee55853a --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +host_key_checking = False +inventory = ./inventory diff --git a/ansible/group_vars/microk8s/btrix_values.j2 b/ansible/group_vars/microk8s/btrix_values.j2 index aa7dc4fa..819f5252 100644 --- a/ansible/group_vars/microk8s/btrix_values.j2 +++ b/ansible/group_vars/microk8s/btrix_values.j2 @@ -10,6 +10,7 @@ ingress: scheme: "https" tls: true +# optional second-host for signing archives signer: enabled: true - host: "signing.microk8s.browsertrix.cloud" + host: "second-host.{{ domain }}" diff --git a/ansible/playbooks/install_microk8s.yml b/ansible/playbooks/install_microk8s.yml index 51da62b1..dccec20c 100644 --- a/ansible/playbooks/install_microk8s.yml +++ b/ansible/playbooks/install_microk8s.yml @@ -65,14 +65,14 @@ immediate: true state: enabled loop: - - 16443/tcp - 10250/tcp - 10255/tcp - - 25000/tcp - - 12379/tcp - 10257/tcp - 10259/tcp + - 12379/tcp + - 16443/tcp - 19001/tcp + - 25000/tcp - 4789/udp when: - ansible_os_family == "RedHat" diff --git a/chart/examples/microk8s-hosted.yaml b/chart/examples/microk8s-hosted.yaml index 8fc1fcad..c078f81b 100644 --- a/chart/examples/microk8s-hosted.yaml +++ b/chart/examples/microk8s-hosted.yaml @@ -28,10 +28,12 @@ ingress: # required: set host to use tls - # host: "..." + # uncomment and replace example below with your registered domain + # host: "yourdomain.org" # required: set email to use tls - #cert_email: "..." + # uncomment and replace example below with your valid email address + #cert_email: "you@yourdomain.org" scheme: "https" tls: true @@ -43,14 +45,15 @@ ingress_class: "public" signer: enabled: true - # host: ... + # uncomment and replace example below with your registered domain + # host: "second.yourdomain.org" # optionally, override default mongodb auth, used for all data storage: #mongo_auth: - #username: root - #password: PASSWORD! + # username: root + # password: PASSWORD! # optionally, set these to custom values diff --git a/docs/deploy/production.md b/docs/deploy/production.md index da10c264..71213652 100644 --- a/docs/deploy/production.md +++ b/docs/deploy/production.md @@ -3,7 +3,7 @@ For production and hosted deployments (both on a single machine or in the cloud), the only requirement is to have a designed domain and (strongly recommended, but not required) second domain for signing web archives. -We are also experimenting with [Ansible playbooks](./ansible) for cloud deployment setups. +We are also experimenting with [Ansible playbooks](../deploy/ansible) for cloud deployment setups. The production deployments also allow using an external mongodb server, and/or external S3-compatible storage instead of the bundled minio. @@ -12,7 +12,7 @@ The production deployments also allow using an external mongodb server, and/or e For a single-machine production deployment, we recommend using microk8s. -1. Install MicroK8S, as suggested in [the local deployment guide](./local) and ensure the `ingress` and `cert-manager` addons are also enabled. +1. Install MicroK8S, as suggested in [the local deployment guide](../deploy/local.md) and ensure the `ingress` and `cert-manager` addons are also enabled. 2. Copy `cp ./chart/examples/microk8s-hosted.yaml ./chart/my-config.yaml` to make local changes.