| Tag | Task file | Purpose |
|---|---|---|
| checks | all/checks-system.yml | Validates that some variables are defined properly in inventory files and Github Secrets |
| checks k8s | all/checks-k8s.yml | Check Kubernetes installed version with version supported by playbook |
| fail2ban | all/fail2ban.yml | Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall |
| tools | all/tools.yml | Some of our Bash (shell) scripts for deployment, backing up and restoring OpenCRVS for example require some libraries to be installed such as Python pip and jq. |
| updates | all/updates.yml | This task installs and configures the following package with the intention of keeping your current version of Ubuntu automatically up-to-date. We dont guarantee that this works but it should help you. You should always manually check that zero-day security vulnerabilities are applied on Ubuntu. Maintianing your Ubuntu installation is outside the scope of OpenCRVS. |
| users | all/users.yml | This task creates all the user accounts as listed in your inventory files, disables password & root access, installs and configures SSH key authentication mechanisms with Google Authenticator 2FA. |
| backup | backups/create-backup-server-credentials.yml | Create backup user and generate ssh keys. |
| backup | backups/setup-email-alert.yml | Configure email notifications on backup server |
| application | k8s/application.yml | Creates a directory on your server with the right permissions and manages application logs: This directory will store all OpenCRVS related application files required for deployment such as the "infrastructure" folder containing docker-compose files for example. The Deploy process copies these files to this location. |
| k8s | k8s/backup-secret.yml | Create secret with backup server credentials (hostname/IP, user, ssh key). Credentials are generated by backups/create-backup-server-credentials.yml |
| data-partition decrypt-on-boot | k8s/validate-data-partition.yml | Encrypted data partition validation to make sure encryption key valid and LUKs header is not demaged. |
| data-partition decrypt-on-boot | k8s/data-partition.yml | Using the DISK_SPACE secret and the ENCRYPTION_KEY secret, a LUKS encrypted directory partition is created to store all OpenCRVS data. The directory is: |
| decrypt-on-boot | k8s/decrypt-on-boot.yml | If your server reboots, the encrypted directory above must be de-crypted and mounted. This file allows you to configure this and the location of the ENCRYPTION_KEY which you could decide to place within a Hardware Security Module for best practice. |
| k8s | k8s/dockerhub-secret.yml | Create Dockerhub credentials secret inside opencrvs-<environment> namespace. See #issues/10625 |
| k8s | k8s/init-master.yml | Init Kubernetes master node with kubeadm, configure access for provision user, issue join worker node token. |
| containerd-setup k8s | k8s/install-containerd.yml | Install containerd with dependencies |
| k8s | k8s/install-kubernetes.yml | Install kubelet, kubeadm, kubectl with dependencies |
| k8s | k8s/install-network-plugin.yml | Install network plugin on master node |
| k8s | k8s/upgrade-k8s-master.yml | Upgrade master node on existing Kubernetes cluster |
| k8s | k8s/upgrade-k8s-workers.yml | Restart kubelet on worker nodes |
| k8s join-workers | k8s/join-workers.yml | Join worker nodes |
| k8s | k8s/kube-api-add-extra-sans.yml | Configure SSL certificate for API server to accept connections from multiple network interfaces, including KUBE_API_HOST |
| k8s | k8s/label-nodes.yml | Add labels to kubernetes nodes |
| k8s | k8s/metrics-server.yml | Install metrics server |
| k8s | k8s/self-hosted-runner.yml | Install GitHub self-hosted runner |
| k8s | k8s/system-preparation.yml | Configure kernel settings, disable swap, configure kernel modules for containerd |
| k8s users | k8s/user-kubeconfig.yml | Create kubernetes users and distribute configuration kube config files across user home directories. |
| k8s | k8s/ufw.yml | This installs and configures your server firewall using ufw, closing all ports and only opening those required for Docker Swarm and SSH |