-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: ansible: add ansible tower playbook #1390
Conversation
@maclover7 I'm happy to move it over if others from @nodejs/build agree? |
Moving to ansible-tower role sounds good to me. |
@rvagg could you add this machine to the cloudlare DNS record so that I can configure the job to point to |
19f4df7
to
0ecf98d
Compare
@maclover7 I've now moved this to an ansible-tower role |
This playbook will create the basic AWX tower machine.
DNS entry done. Although I've had to change SSL to "flexible" to allow the backend to be http rather than https. Apparently in "full", as it was set, we could even expose https on the server with a self-signed certificate and it would be cool with that. Perhaps we should do that so the Cloudflare<->host comms are encrypted as well? We have a wildcard certificate but that should go away soon if we switch to letsencrypt or we might just switch to Cloudflare's own certificates. Or, maybe we could do letsencrypt on this ansible host for comms with Cloudflare? Can we expose /.well-known/ on it to verify with letsencrypt? So next up, authenticating with GitHub. There is an OAuth app, like our Jenkins servers, and there's GitHub apps. It looks like we might need the latter so it can access GitHub resources? I'm not really sure how that works and what it can access and as who, but this is the config screen: Are there docs somewhere about this we can see for Ansible Tower to understand what the implications are? We'll probably need to give the TSC a heads-up. |
I had to switch back to "full" ssl on Cloudflare because it screwed up nodejs.org! I don't know how or why but it made it stick clients into a redirect loop. So for now, we're going to need an ssl cert of some kind on this new server for it to work via https. |
@gdams sorry for the complexity but I don't see an easier way around this for now, our options I think are:
Since you're probably going to be stuck with the work I'll leave it up to you. I have no preference. |
@rvagg I'm happy to use letsencrypt! Looks like there is already a nice ansible module that we could implement... https://docs.ansible.com/ansible/2.5/modules/letsencrypt_module.html |
This playbook will create the basic AWX tower machine. There are a few things that we will probably still want to add: