Re: Examples of existing infrastructures?

hey hvjunk & maciej, thanks for your quick and helpful responses. On 29.03.21 01:04, hvjunk wrote: Just to check if I understood correctly: at first you have a dedicated ansible controller (are you using the term jump host as a synonyme?) for provisioning the proxmox instances AND the initial "stack" jump hosts / ansible controllers as entrypoints into their subnets? Thanks for the MAC into DHCP / 2nd playbook tip! Right now I have a debopsed PXE server set up pushing out a custom preseed config with full disk encryption enabled, since that is a requirement for me. My workflow for creating a new VM is cloning a QEMU template, then manually setting it up to run the encrypted install, then running a complete debops common playbook, which also enables cryptsetup & dropbear_initramfs. After that I would run it again with more debops / other services enabled. Sounds great. The location of jump hosts is still confusing to me, though. It sounds like you have: WAN -- FW -- jump host -- LAN1                                       |_ LAN2                                       |_ LAN3, etc. one single jumphost, that has NICs in every Subnet / VLAN? Where is the ansible controller then? Also how to prevent that jumphost being a single point of failure? I've used debops-padlock so far and commited the encrypted secrets, but found then that the organization of my own gpg / ssh keys is really lacking (securely synchronizing between my clients, number and separation of keys, etc.) Ordered a nitrokey, maybe this will help me become more organised in this regard. Oh, I can identify :D "Automation" lured me with the promise of getting rid of meticulously crafted snowflake servers, but I stayed for the possibility of having a huuuuge (well-configured) cluster of services I'll never have the time to really use :D ------------- Maciej's mail: On 29.03.21 10:49, Maciej Delmanowski wrote: Yes, I probably should have written "starting with automating / designing server infrastructures". I have some experience of administrating different kinds of windows (trying to get rid of those responsibilites, I'm telling you) / linux / unix servers, but never learned administering any of it from scratch. I "fell" into administration being the person that knew the most IT in a NGO like group that needed certain webservices. Thus my knowledge is shaped "organically" around the problems that arose setting these up. So when I started using debops (which I found researching more efficient ways to admin) I knew the basics of setting up a server, but was mostly ignorant of concepts "tying hosts together" like ldap, a pki, pxe, advanced dhcp/dns etc. Also debops seems to be very thorough in setting up a system, reading the common playbook I stumbled upon so many things I haven't done / known before, like apt_proxy or tcpwrappers Thank you so much for those, very valuable. Do you test for these quirks automatically or manually? What I am doing right now is designing an ideal lab environment on a proxmox host with sufficient ressources (for testing). In it I try to focus on finding a balance between secure separation of services and efficiently using a VM's given ressources. So far I have opnsense: DHCP / DNS / FW Host1: Controller / PKI / Jump Host (?) Host2: PXE / Preseed / Apt-Cache Host3&4: slapd-servers Host5: Monitoring / Logserver Host6: DB-Server Host7: Jenkins Host8: Nextcloud Host9+: Appservers Hopefully, this blueprint makes it easier to adapt to not-so-ideal circumstances, but at least it's a good lab to learn debops. Should I try to find the right position for my custom roles or is appending it to a site.yml in my inventory enough? If not, how do I specify a position without editing the debops code? Sorry, this is getting redundant, but in your example, where is the ansible controller located? Do you have one in your "home environment" that controls all of your different debops environments or one controller in each debops environment to which you (manually) connect through a jump host? BTW: for others learning this I found this blogpost an excellent explanation of different ssh tunneling mechanisms: https://leftasexercise.com/2019/12/23/using-ansible-with-a-jump-host/ Having started to use git just now this makes me super anxious to use public repositories, but finding out about debops-padlock eased that a bit. Thanks for the detailed walkthrough. I did only find out about bootstrap-ldap via the newly added sssd role documentation, bootstrap-sssd seems to be working similarly. How do I know which tasks to skip? Probably by knowing the code, right? :) Thanks for the encouragement and the support! As strange as it may sound I'm having great fun learning debops and its multitude of possibilities. Just feel overwhelmed by it at times, but that keeps me motivated.