feat: more operator guide
This commit is contained in:
parent
8f7d0d372e
commit
e72c729735
13 changed files with 240 additions and 7 deletions
70
docs/operator/deploy-host.md
Normal file
70
docs/operator/deploy-host.md
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
sidebar_position: 30
|
||||
sidebar_label: Deployment Host
|
||||
---
|
||||
|
||||
# Deployment Host Setup
|
||||
|
||||
Deployment takes place using [Ansible](https://docs.ansible.com/) which we will install in a
|
||||
[venv](https://docs.python.org/3/library/venv.html) to allow for careful management of the versions of the software in
|
||||
use.
|
||||
|
||||
For security, the deployment host must not run any network services listening on an external interface other than a
|
||||
hardened SSH daemon if being used remotely. Ideally, the deployment host is operated locally via its terminal.
|
||||
|
||||
Begin by creating a directory for the deployment framework to operate from that should be owned by your unprivileged
|
||||
user and group and have filesystem permissions of `0700`.
|
||||
On systems with SELinux, a context of `user_home_t` should be appropriate.
|
||||
|
||||
This documentation will assume that you are working in the directory `$HOME/ops/`.
|
||||
|
||||
## Virtual Environment Setup
|
||||
|
||||
Begin by creating and activating a virtual environment:
|
||||
|
||||
```shell
|
||||
cd $HOME/ops
|
||||
python3 -m venv venv
|
||||
source venv/bin/activate
|
||||
```
|
||||
|
||||
Then install the dependencies we will require:
|
||||
|
||||
```shell
|
||||
pip install ansible
|
||||
pip install bitwarden-sdk # optional: only required for bitwarden secrets manager
|
||||
```
|
||||
|
||||
## Install the Ansible collection and role dependencies
|
||||
|
||||
Create `$HOME/ops/requirements.yml`:
|
||||
|
||||
```yaml
|
||||
---
|
||||
collections:
|
||||
- name: bitwarden.secrets # optional: only required for bitwarden secrets manager
|
||||
- src: git+https://guardianproject.dev/sr2/ansible-collection-core.git
|
||||
version: main # optional: only required for our baseline role
|
||||
- src: git+https://guardianproject.dev/sr2/ansible-collection-apps.git
|
||||
version: main # required: contains the CDR Link deployment role
|
||||
roles:
|
||||
- src: git+https://github.com/ansible-lockdown/RHEL9-CIS.git
|
||||
version: "2.0.3" # optional: only required for our baseline role
|
||||
```
|
||||
|
||||
Install the collections, and roles if required:
|
||||
|
||||
```shell
|
||||
cd $HOME/ops
|
||||
ansible-galaxy collection install -r requirements.yml
|
||||
ansible-galaxy role install -r requirements.yml
|
||||
```
|
||||
|
||||
## Create deployment data files and directories
|
||||
|
||||
Create the necessary directories that we will need in the next step:
|
||||
|
||||
```shell
|
||||
cd $HOME/ops
|
||||
mkdir {host,group}_vars
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue