blob: 8ab85e525f3bbda1dc55cb608b237aaadb567f9b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
# [hollyhock.sorantics.com][hollyhock]
Remote infrastructure.
## Local setup
```sh
$ git clone git@github.com:luskjh/infra
$ cd infra
$ make install
$ make install-pre
$ echo '<vault password>' > .vault_pass
```
## Makefile targets
### Helper targets
_Listed in alphabetical order._
| Target | Description |
| ------------------ | ----------------------- |
| `edit` | Edit ansible vault |
| `install` | Install dependencies |
| `install-pre` | Install pre-commit hook |
| `lint` | Run ansible lint |
| `ping`<sup>*</sup> | Ping hollyhock host |
### Playbook targets
_Listed in applicable order._
| Target | Description |
| ----------------------- | ------------------ |
| `bootstrap`<sup>*</sup> | Bootstrap access |
| `security` | Security hardening |
| `http` | Web server |
| `https` | SSL certificates |
| `devops`<sup>†</sup> | DevOps setup |
### <sup>*</sup>Pre-bootstraped targets
Before the automation user is created, the `ping` and `bootstrap`
targets need to initially connect to the server host using an existing
user. Set `ANSIBLE_USER` to override the default connection user, and
set `ANSIBLE_PORT` to override the SSH port before the `bootstrap`
playbook has updated it to the port specified in `vault.yaml`:
```sh
$ make ping ANSIBLE_USER=root ANSIBLE_PORT=22
$ make bootstrap ANSIBLE_USER=root ANSIBLE_PORT=22
```
#### <sup>†</sup>Hollyhock's mTLS Protection
The subdomain `hollyhock` is secured with mTLS - once the `devops`
playbook is run succesfully, on macOS you need to add
`tmp/hollyhock.p12` to your keychain (see troubleshooting before
attempting an import):
```sh
$ security import tmp/hollyhock.p12 \
-k ~/Library/Keychains/login.keychain-db \
-P <mtls_p12_password>
```
#### Troubleshooting
mTLS can be a little finicky. Here are some things to try
(tips are macOS specific).
If you have any specific applications you know will need to access the
key (like your web browser), you can specify it on import `-T`:
```sh
$ security import tmp/hollyhock.p12 \
-k ~/Library/Keychains/login.keychain-db \
-P <mtls_p12_password>
-T /Applications/Google\ Chrome.app
```
If you've imported multiple times, you may want to clear out the old
certificates directly in Keychain Access before re-importing:
## CI / deployments
There is a CI workflow that runs the same pre-commit hooks on GitHub as
run locally, but deployments are currently only administered from a
local machine.
[hollyhock]: //hollyhock.sorantics.com
|
