Long, long overdue post going over my Ansible config for my DO server that's running this website/blog/thing. Does it count as a blog if you're writing raw HTML yourself? At any rate, I decided to use Ansible to configure my DigitalOcean droplet after Terraform built it for me. Why? Mostly due to comfort. I taught myself Ansible out of necessity in a previous role where I was able to automate quite a bit with it. It's just what I'm comfortable with. I'm sure the same sorts of things could be done with Chef, Puppet, Saltstack, a shell script, python, and so on.
Ansible essentially connects to a system via SSH and converts the playbooks and roles in my repo to python scripts to configure docker (which runs the container for this site), a GitHub Actions Runner (which provides ci/cd tooling connectivity to GitHub), and certbot, which gives me free SSL certs via LetsEncrypt and keeps things auto-renewed.
So, some core concepts for Ansible that will come in handy if you check out my repo.
In my case, host_configure.yml says "Apply the roles docker, ghrunner, and certbot to webserver using the variables found in inventory/group_vars/vault.yml." So let's break down what those mean a bit.
The roles in the repo linked above are very minimalistic, and are laid out following Ansible's guidance for creating roles. Let's start with the docker role, since it's mentioned first in the playbook.
The docker role describes only two tasks:
Easy, right?
The ghrunner role is next. It's a bit more complex than the docker role above, but it's not too hard to grok:
The variable used in the previous step contains the GitLab runner token used to connect back to my GitHub repo, and it's been encrypted using Ansible vault - so it can be safely stored in GitHub and yet still available for Ansible to use. There's tons of good documentation around on how to use Ansible vault.
The last role Ansible uses is certbot. Sharp eyed readers will notice this role is a bit different than the others, it includes a template directory, which will get to in a sec. Here's what the role's doing:
So that's what Ansible is doing. What about where it's running those tasks. If you recall in the playbook linked above, the hosts line in the yaml file is just 'webserver', which definitely is not enough info for Ansbile to use. That's where an inventory comes into play. Mine is quite simple and contains only a single file with a single host (and the user to connect as).
So now we have the infrastructure in code with Terraform, the configuration in code with Ansible, and next I'll show you how to glue all this stuff together to make a working site.
Posted 2021-04-08