Vagrant-based testing environment

samsapti commented

2022-11-14 20:59:47 +00:00

Owner

The purpose of this PR is to provide a way to test our setup locally, since we don't have a staging server (yet).

I have fixed the existing Vagrantfile to work with our Ansible setup, and then I have refactored the Ansible setup a bit to work with Vagrant. I have also fixed a couple errors preventing deployment in general. The fixes include:

Moving postfix up in the services-list so that the postfix Docker network exist when the other services need it
Removing config_path from the docker_login task, so that when deployed in Vagrant, it can connect to the remote registry running on the production server
Adding tasks to change the port sshd is listening on if not already configured
Only installing Dell OpenManage when not running in a VM

The only thing I would like some input on is, that when trying to deploy Mailu, it fails to link the TLS certificate files from nginx-proxy, since they don't exists due to missing DNS records to the Vagrant VM (of course). How should we handle that? One way would be to add ignore_errors: true to said tasks, but that would cause ignored errors in production as well, which is undesirable. Or maybe we could skip the aforementioned tasks only if it's running in a VM, the same way I have done it with Dell OpenManage. Other suggestions are welcomed.

The purpose of this PR is to provide a way to test our setup locally, since we don't have a staging server (yet). I have fixed the existing Vagrantfile to work with our Ansible setup, and then I have refactored the Ansible setup a bit to work with Vagrant. I have also fixed a couple errors preventing deployment in general. The fixes include: - Moving postfix up in the services-list so that the `postfix` Docker network exist when the other services need it - Removing `config_path` from the `docker_login` task, so that when deployed in Vagrant, it can connect to the remote registry running on the production server - Adding tasks to change the port sshd is listening on if not already configured - Only installing Dell OpenManage when not running in a VM The only thing I would like some input on is, that when trying to deploy Mailu, it fails to link the TLS certificate files from nginx-proxy, since they don't exists due to missing DNS records to the Vagrant VM (of course). How should we handle that? One way would be to add `ignore_errors: true` to said tasks, but that would cause ignored errors in production as well, which is undesirable. Or maybe we could skip the aforementioned tasks only if it's running in a VM, the same way I have done it with Dell OpenManage. Other suggestions are welcomed.

samsapti added 8 commits 2022-11-14 20:59:48 +00:00

Make Ansible setup testable in Vagrant 6a16328b7b

Added logic to change the sshd port if not already configured,
configued Vagrantfile to work properly and fixed a couple of deploy
errors.

Some Vagrant fixes 581c832b36

Only install Dell OpenManage if not running in a VM, and fix SSH port
logic.

Fix SSH port logic again d0904a96a8

Vagrant: Use same Ubuntu version as in production 41f09e7b33

Don't use local config for Docker registry login 01d9d3c04b

It doesn't work when deploying in Vagrant :(

Simplify config and rename some files 3b7c096f8e

Naming changes 79ec0627d4

Remove state: latest 42ebebc3f5

samsapti changed title from ~~Vagrant-based testing environment~~ to WIP: Vagrant-based testing environment

2022-11-15 19:58:13 +00:00

samsapti commented

2022-11-15 20:04:09 +00:00

Author

Owner

@valberg suggested using vagrant-dns with a custom base_domain (e.g. datacoop.devel) for accessing services from Vagrant. We still need to figure out the TLS problem though.

TODO: Allocate time to look into it.

UPDATE: Unfortunately it only works on macOS :(

@valberg suggested using [vagrant-dns](https://github.com/BerlinVagrant/vagrant-dns) with a custom `base_domain` (e.g. `datacoop.devel`) for accessing services from Vagrant. We still need to figure out the TLS problem though. TODO: Allocate time to look into it. UPDATE: Unfortunately it only works on macOS :(

valberg commented

2022-11-15 21:11:50 +00:00

Owner

Regarding the certificate issue I think we should do the following:

Have a tag called ssl_certs_enabled which defaults to ansible_virtualization_role != guest (this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run)
Put the nginx letsencrypt container task in `nginx-proxy.yml behind that tag
Put the hard link to Let's Encrypt TLS (certificate|key) in mailu.yml behind that tag

We might have other places where ssl can be switched on/off, we can find and fix these as we go along.

Regarding the certificate issue I think we should do the following: - Have a tag called `ssl_certs_enabled` which defaults to `ansible_virtualization_role != guest` (this probably means that we can move `virtualization.yml` into `playbook.yml` because it becomes a core task that always should run) - Put the `nginx letsencrypt container` task in `nginx-proxy.yml behind that tag - Put the `hard link to Let's Encrypt TLS (certificate|key)` in `mailu.yml` behind that tag We might have other places where ssl can be switched on/off, we can find and fix these as we go along.

valberg commented

2022-11-15 21:39:38 +00:00

Owner

We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that.

👍 2

valberg added 1 commit 2022-11-15 22:06:40 +00:00

Add ssl_certs_enabled variable and use it to avoid ssl certs when running on vagrant 5d0c913c2a

valberg force-pushed vagrant from 5d0c913c2a to 253a21432e

2022-11-15 22:06:54 +00:00

Compare

valberg commented

2022-11-15 22:08:33 +00:00

Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

samsapti commented

2022-11-16 10:24:33 +00:00

Author

Owner

this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run

No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, ansible_port is set to 2222 regardless of what the inventory file says.

> this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, `ansible_port` is set to 2222 regardless of what the inventory file says.

valberg commented

2022-11-16 10:27:36 +00:00

Owner

this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run

No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, ansible_port is set to 2222 regardless of what the inventory file says.

I have moved it already. I think we should just not do the SSH port stuff if vagrant == true

> > this probably means that we can move virtualization.yml into playbook.yml because it becomes a core task that always should run > > No, we can't do that, because the SSH port needs to be configured before it can run. When running in Vagrant, `ansible_port` is set to 2222 regardless of what the inventory file says. I have moved it already. I think we should just not do the SSH port stuff if `vagrant == true`

samsapti commented

2022-11-16 10:29:12 +00:00

Author

Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.

> @samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort. I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.

valberg commented

2022-11-16 10:33:22 +00:00

Owner

@samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a letsencrypt_enabled and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort.

I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it.

Ah yes of course 😊 well I mostly agree, but being able to run the whole infrastructure with self signed certs could make sense - somehow. But let's not spend time on that now.

> > @samsapti I just implemented my idea of how to do the SSL part. I then realized that the variable is more a `letsencrypt_enabled` and we could do some "self signed certs" if that variable is set to True. But it feels like quite the effort. > > I think you mean if it's set to False, but I get your point. Could we perhaps drop TLS entirely when running in Vagrant? I can't really see why we would need it. Ah yes of course 😊 well I mostly agree, but being able to run the whole infrastructure with self signed certs could make sense - somehow. But let's not spend time on that now.

👍 1

samsapti commented

2022-11-16 10:35:30 +00:00

Author

Owner

I think we should just not do the SSH port stuff if vagrant == true

We still need to change the port, because Gitea needs port 22. The Vagrant VM's internal SSH port is default 22, it's only the forwarded port to the host that's 2222. Also, the point of running in Vagrant is to be able to test as much of the infrastructure as possible, so I disagree here.

> I think we should just not do the SSH port stuff if vagrant == true We still need to change the port, because Gitea needs port 22. The Vagrant VM's internal SSH port is default 22, it's only the forwarded port to the host that's 2222. Also, the point of running in Vagrant is to be able to test as much of the infrastructure as possible, so I disagree here.

samsapti added 1 commit 2022-11-16 19:36:30 +00:00

Create separate role for SSH and Vagrant 57ca1e9233

- Added a separate role that first configures SSH, and after that
  gathers the ansible_virtualization_role fact, due to gathering facts
  requiring an SSH connection
- Renamed ssl_certs_enabled to letsencrypt_enabled and moved that
  and the vagrant variable to the be supplied directly to the last two
  roles in playbook.yml
- Added tags base_only and setup_services to the new role
  ssh_and_vagrant so that it will always be run before anything else
  when using deploy.sh

samsapti commented

2022-11-16 19:37:07 +00:00

Author

Owner

I've implemented a different approach. According to Vagrant, this works as it should.

samsapti commented

2022-11-16 20:24:05 +00:00

Author

Owner

We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that.

Just referencing #59 here.

> We should consider adding some documentation on how to use the vagrant setup - in fact we need a README.md for the whole repo. This is as good a time as any to add that. Just referencing #59 here.

valberg added 1 commit 2022-11-17 07:54:33 +00:00

Keep ansible "clean" and do ssh port magic in Vagrantfile. 9a5d780f2b

samsapti commented

2022-11-17 08:24:23 +00:00

Author

Owner

@valberg, looks good! I haven't tested it yet though.

samsapti added 1 commit 2022-11-17 21:16:05 +00:00

Simplify SSH configuration 6e383d6afa

Now that the Vagrantfile supplies SSH port information to Ansible, we no
longer need to figure it out in Ansible. Also, since gather_facts (which
requires an SSH connection) is set to true in playbook.yml, one needs to
supply --extra-vars "ansible_port=22" on the commandline when
provisioning for the first time on real hardware, because the port is
hardcoded in the inventory file.

samsapti added 1 commit 2022-11-17 21:17:58 +00:00

Remove notify d48e684647

samsapti added 1 commit 2022-11-18 19:53:34 +00:00

Fix mount point for Watchtower c802e53858

samsapti force-pushed vagrant from c802e53858 to d48e684647

2022-11-18 19:55:42 +00:00

Compare

samsapti added 1 commit 2022-11-18 22:35:34 +00:00

Some improvements a67d82ad88

- Always use the new port if the VM is already provisioned
- We're not using a multi-VM setup, so no need to define VM "datacoop"
- Increase minimum required Vagrant version
- Add static IP for hopefully implementing some sort of DNS in the
  future
- Hardcode registry domain to use the real registry in Vagrant

samsapti added 1 commit 2022-11-22 21:11:01 +00:00

Merge branch 'main' into vagrant c6269636cd