Manual Provisioning of Production Machine

The Ansible playbook still does most of the heavy lifting to set up a production machine. However, before that, there are currently manual steps that need to be performed before the playbook can be run.

  1. Install Debian 12, and log in as root

  2. $ apt update && apt install ansible git sshpass python3-pip

  3. Specify hosts in /etc/ansible/hosts (see example)

  4. Create app user tildes using $ adduser tildes

  5. Add tildes user to sudoers by running $ visudo and adding this line:

    tildes ALL=(ALL) NOPASSWD:ALL

  6. $ ln -s /home/tildes/tildes-cf/tildes /opt/tildes

  7. $ python3 -m pip install --break-system-packages -U ansible

  8. $ su --login tildes

  9. $ git clone https://gitlab.com/tildes-community/tildes-cf.git

  10. $ cd tildes-cf

  11. Set up a TLS certificate (see TLS certificate)

  12. $ cp tildes/production.ini.example tildes/production.ini

  13. $ ansible-playbook ansible/playbook.yml

Example Ansible hosts file

TODO: Modify the below to use SSH key instead of password

[all:vars]
ansible_user=tildes
; NOTE: Using an SSH password is insecure until we improve this provisioning procedure to use SSH keys
ansible_ssh_pass=password

[app_server]
123.123.123.123  ; replace with your server's IP

[prod]
123.123.123.123  ; replace with your server's IP

TLS Certificate

Normally a server operator should choose a high quality Certificate Authority like Let's Encrypt to acquire TLS certificates.

During testing, we can use self-signed certificates:

  1. Modify ansible/playbook.yml:

Add - self_signed_ssl_cert under prod

  1. Modify ansible/group_vars/prod.yml adding these lines:
ssl_cert_dir: /etc/pki/tls/certs
ssl_cert_path: "{{ ssl_cert_dir }}/localhost.crt"
ssl_private_key_path: "{{ ssl_cert_dir }}/localhost.key"