4.3.5.3 Ansible tasks when provisioning
A number of automated tasks are run on your servers when the Ansible Provision action runs. It can be important to understand exactly what Ansible is doing to your servers to help you debug any issues or contribute any improvements to the process.
The Ansible tasks are located in infrastructure/server-setup/tasks
application.yml
Creates a directory on your server with the right permissions and manages application logs:
This directory will store all OpenCRVS related application files required for deployment such as the "infrastructure" folder containing docker-compose files for example. The Deploy process copies these files to this location.
checks.yml
Validates that some variables are defined properly in inventory files and Github Secrets
data-partition.yml
Using the DISK_SPACE secret and the ENCRYPTION_KEY secret, a LUKS encrypted directory partition is created to store all OpenCRVS data. The directory is:
decrypt-on-boot.yml
If your server reboots, the encrypted directory above must be de-crypted and mounted. This file allows you to configure this and the location of the ENCRYPTION_KEY which you could decide to place within a Hardware Security Module for best practice.
deployment-user.yml
Adds the provision user to the "docker" group to all it to be the deployment user used in the Deploy step
docker.yml
Installs Docker on the server. Logs into Dockerhub using the secret credentials and provisions cron jobs to delete stale Docker images from your server to save disk space.
elasticsearch.yml
max_map_count on many systems is 65536. However, Elasticsearch recommends setting it to at least 262144 to prevent out-of-memory exceptions.
fail2ban.yml
Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall
mongodb.yml
These steps prepare MongoDB for replication across multiple server nodes. It is used when your server cluster REPLICAS secret is higher than 1.
swap.yml
Swap space is the area on a hard disk. It is a part of your machine's Virtual Memory, which is a combination of accessible physical memory (RAM) and the swap space. Swap holds memory pages that are temporarily inactive. Swap space is used when your operating system decides that it needs physical memory for active processes and the amount of available (unused) physical memory is insufficient. Swap must be configured and this step does the task for you.
swarm.yml
This task sets up Docker Swarm to load balance across a server cluster. It is taken advantage of when your server cluster REPLICAS secret is higher than 1.
tools.yml
Some of our Bash (shell) scripts for deployment, backing up and restoring OpenCRVS for example require some libraries to be installed such as Python pip and jq.
traefik.yml
Traefik is a bit like NGNIX. It is the main ingress controller in our stack and therefore requires access to some directories where the TLS/SSL cert files will be stored. This task creates the directories with the correct permissions. When installing / refreshing static TLS certs, this task needs to be edited.
ufw.yml
This installs and configures your server firewall using ufw, closing all ports and only opening those required for Docker Swarm and SSH
updates.yml
This task installs and configures the following package with the intention of keeping your current version of Ubuntu automatically up-to-date. We dont guarantee that this works but it should help you. You should always manually check that zero-day security vulnerabilities are applied on Ubuntu. Maintianing your Ubuntu installation is outside the scope of OpenCRVS.
users.yml
This task creates all the user accounts as listed in your inventory files, disables password & root access, installs and configures SSH key authentication mechanisms with Google Authenticator 2FA.
backups/crontab.yml
Configures the scheduled cron jobs to backup and restore OpenCRVS in production.