---
sidebar_position: 30
sidebar_label: Deployment Host
---

# Deployment Host Setup

Deployment takes place using [Ansible](https://docs.ansible.com/) which we will install in a
[venv](https://docs.python.org/3/library/venv.html) to allow for careful management of the versions of the software in
use.

For security, the deployment host must not run any network services listening on an external interface other than a
hardened SSH daemon if being used remotely. Ideally, the deployment host is operated locally via its terminal.

Begin by creating a directory for the deployment framework to operate from that should be owned by your unprivileged
user and group and have filesystem permissions of `0700`.
On systems with SELinux, a context of `user_home_t` should be appropriate.

This documentation will assume that you are working in the directory `$HOME/ops/`.

## Virtual Environment Setup

Begin by creating and activating a virtual environment:

```shell
cd $HOME/ops
python3 -m venv venv
source venv/bin/activate
```

Then install the dependencies we will require:

```shell
pip install ansible
pip install bitwarden-sdk  # optional: only required for bitwarden secrets manager
```

## Install the Ansible collection and role dependencies

Create `$HOME/ops/requirements.yml`:

```yaml
---
collections:
  - name: bitwarden.secrets  # optional: only required for bitwarden secrets manager
  - src: git+https://guardianproject.dev/sr2/ansible-collection-core.git
    version: main  # optional: only required for our baseline role
  - src: git+https://guardianproject.dev/sr2/ansible-collection-apps.git
    version: main  # required: contains the CDR Link deployment role
roles:
  - src: git+https://github.com/ansible-lockdown/RHEL9-CIS.git
    version: "2.0.3"  # optional: only required for our baseline role
```

Install the collections, and roles if required:

```shell
cd $HOME/ops
ansible-galaxy collection install -r requirements.yml
ansible-galaxy role install -r requirements.yml
```

## Create deployment data files and directories

Create the necessary directories that we will need in the next step:

```shell
cd $HOME/ops
mkdir {host,group}_vars
```