# [hollyhock.sorantics.com][hollyhock]

Remote infrastructure.

## Local setup

```sh
$ git clone git@github.com:luskjh/infra
$ cd infra
$ make install
$ make install-pre
$ echo '<vault password>' > .vault_pass
```

## Makefile targets

### Helper targets

_Listed in alphabetical order._

| Target             | Description             |
| ------------------ | ----------------------- |
| `edit`             | Edit ansible vault      |
| `install`          | Install dependencies    |
| `install-pre`      | Install pre-commit hook |
| `lint`             | Run ansible lint        |
| `ping`<sup>*</sup> | Ping hollyhock host     |

### Playbook targets

_Listed in applicable order._

| Target                  | Description        |
| ----------------------- | ------------------ |
| `bootstrap`<sup>*</sup> | Bootstrap access   |
| `security`              | Security hardening |
| `http`                  | Web server         |
| `https`                 | SSL certificates   |
| `devops`<sup>†</sup>    | DevOps setup       |
| `git`                   | Git hosting        |

### <sup>*</sup>Pre-bootstraped targets

Before the automation user is created, the `ping` and `bootstrap`
targets need to initially connect to the server host using an existing
user. Set `ANSIBLE_USER` to override the default connection user, and
set `ANSIBLE_PORT` to override the SSH port before the `bootstrap`
playbook has updated it to the port specified in `vault.yaml`:

```sh
$ make ping ANSIBLE_USER=root ANSIBLE_PORT=22
$ make bootstrap ANSIBLE_USER=root ANSIBLE_PORT=22
```

#### Git Repository

The `git` playbook publishes repositories via cgit at
`https://git.sorantics.com` and creates
`/home/git/sorantics/infra.git` as the first bare repository.

```sh
$ git remote add origin git@git.sorantics.com:sorantics/infra.git
$ git push -u origin main
```

#### <sup>†</sup>Hollyhock's mTLS Protection

The subdomain `hollyhock` is secured with mTLS - once the `devops`
playbook is run succesfully, on macOS you need to add
`tmp/hollyhock.p12` to your keychain (see troubleshooting before
attempting an import):

```sh
$ security import tmp/hollyhock.p12 \
  -k ~/Library/Keychains/login.keychain-db \
  -P <mtls_p12_password>
```

#### Troubleshooting

mTLS can be a little finicky. Here are some things to try
(tips are macOS specific).

If you have any specific applications you know will need to access the
key (like your web browser), you can specify it on import `-T`:

```sh
$ security import tmp/hollyhock.p12 \
  -k ~/Library/Keychains/login.keychain-db \
  -P <mtls_p12_password>
  -T /Applications/Google\ Chrome.app
```

If you've imported multiple times, you may want to clear out the old
certificates directly in Keychain Access before re-importing:

![keychain access](.repo/keychain.png)

## CI / deployments

There is a CI workflow that runs the same pre-commit hooks on GitHub as
run locally, but deployments are currently only administered from a
local machine.

[hollyhock]: //hollyhock.sorantics.com