Stratiform

stratiform is an Ansible playbook for provisioning, configuring, and managing DigitalOcean droplets.

• 1. Setup
  • 1.1. Security
  • 1.2. Usability
• 2. Usage
  • 2.1. Hosts
  • 2.2. Group Vars
  • 2.3. Special Variables
  • 2.4. Images, Sizes, and Regions
    • 2.4.1. Sizes
    • 2.4.2. Droplet Images
• 3. Playbook

1. Setup

This playbook requires the following ansible-galaxy roles and collections:

Collections

• community.digitalocean
• community.general

Roles

• oefenweb.fail2ban

To install these dependencies, run the following commands from the root folder of this repository:

ansible-galaxy collection install -r collection-requirements.yml
ansible-galaxy install -r role-requirements.yml

---

For further documentation on the these collections and roles, see the official docs on Ansible Galaxy

• community.digitalocean
• community.general
• oefenweb.fail2ban

---

In addition to basic droplet provisioning, some post-provisioning is also performed in order to make the environment a little more user-friendly and secure, by installing the following:

1.1. Security

• Non-Root SSH access (DigitalOcean Droplets use root by default)
• Mandatory Access Controls (via AppArmor/SELinux)
• UFW (Ubuntu Only)
• Fail2Ban

1.2. Usability

• bandwhich
• Homebrew for Linux, AKA Linuxbrew
• bat
• duf
• dust
• exa
• fd
• jq
• Oh-My-Vim
• procs
• ripgrep
• sd
• tldr
• ZSH (w/Antigen)

NOTE: If you would like to opt NOT to install these extra tools, add 'install_extras': no to the environment variables dictionary in the ansible-playbook command listed below, or alternatively, add install_extras: no to ./group_vars/all before running the playbook.

2. Usage

2.1. Hosts

Hosts in this playbook are not static, and are registered by the do_droplet role into the dynamic inventory.

2.2. Group Vars

./group_vars/all is the main configuration source for this playbook. Any variables you need to update can be found there. Please do not update or change the role variables or edit the tasks or site.yml directly.

2.3. Special Variables

In order to provision a new droplet, you must provide your DigitalOcean OAuth/API Token, along with at least one SSH key fingerprint from your DigitalOcean account.

These values should never be checked in as code, thus the best way to pass them is at runtime as a JSON object, with the SSH key fingerprints passed as a list element. The exact syntax can be found below.

2.4. Images, Sizes, and Regions

DigitalOcean's API refers to their various droplet sizes, images, and regions using slugs. Valid droplet size, region, and image slugs are as follows:

2.4.1. Sizes

---

		Dedicated CPU
General Purpose	CPU-Optimized	Memory-Optimized	Storage-Optimized
g-2vcpu-8gb	c-2	m-2vcpu-16gb	so-2vcpu-16gb
g-4vcpu-16gb	c-4	m-4vcpu-32gb	so1_5-2vcpu-16gb
gd-2vcpu-8gb	c2-2vcpu-4gb	m3-2vcpu-16gb
gd-4vcpu-16gb	c2-4vcpu-8gb	m6-2vcpu-16gb

---

---

Shared CPU
Sizes
s-1vcpu-2gb
s-2vcpu-2gb
s-2vcpu-4gb
s-4vcpu-8gb
s-8vcpu-16gb

---

2.4.2. Droplet Images

NOTE: This is only a list of slugs for standard images. For a list of One-Click Application images, consult the official API docs, or use the following doctl command:

doctl compute image list-application

Currently this playbook only fully supports Ubuntu-based images.

---

Image Slug	Image OS/Version
centos-7-x64	CentOS 7 (64-bit)
centos-8-x64	CentOS 8 (64-bit)
debian-9-x64	Debian 9 (64-bit)
debian-10-x64	Debian 10 (64-bit)
fedora-32-x64	Fedora 32 (64-bit)
fedora-33-x64	Fedora 33 (64-bit)
fedora-34-x64	Fedora 34 (64-bit)
freebsd-11-x64-zfs	FreeBSD 11 (64-bit) w/ZFS Support
freebsd-11-x64-ufs	FreeBSD 11 (64-bit) w/UFS Support
freebsd-12-x64-ufs	FreeBSD 12 (64-bit) w/ZFS Support
freebsd-12-x64-zfs	FreeBSD 12 (64-bit) w/UFS Support
rancheros	RancherOS 1.5.8 (64-bit)
ubuntu-16-04-x32	Ubuntu 16.04 LTS (32-bit)
ubuntu-16-04-x64	Ubuntu 16.04 LTS (64-bit)
ubuntu-18-04-x64	Ubuntu 18.04 LTS (64-bit)
ubuntu-20-04-x64	Ubuntu 20.04 LTS (64-bit)
ubuntu-20-10-x64	Ubuntu 20.10 (64-bit)
ubuntu-21-10-x64	Ubuntu 21.10 (64-bit)

---

Regions

---

Slug	Name
ams2	Amsterdam 2
ams3	Amsterdam 3
blr1	Bangalore 1
fra1	Frankfurt 1
nyc1	New York 1
nyc2	New York 2
nyc3	New York 3
lon1	London 1
sfo1	San Francisco 1
sfo2	San Francisco 2
sfo3	San Francisco 3
sgp1	Singapore 1
tor1	Toronto 1

---

3. Playbook

To run the playbook and set up droplets, run the following command:

ansible-playbook -e "{'do_api_key':'<your_digitalocean_api_key>','do_ssh_key_fingerprints':['00:de:ad:be:ef:88:ab:cd:ef:12:34:56:78:00:aa:bb','...']}" site.yml

You can also use a Vault by placing the following YAML data into ./group_vars/vault.yml along with an accompanying vault password in ./.vaultpasswd:

do_api_key: '<your_digitalocean_api_key>'
do_ssh_key_fingerprints: ['00:de:ad:be:ef:88:ab:cd:ef:12:34:56:78:00:aa:bb','...']

NOTE: To get your SSH Key Fingerprint, run the following command:

ssh-keygen -E md5 -lf ~/.ssh/id_rsa | cut -d' ' -f2 | sed s/MD5\://g