Getting the old non-docker servers working in concert with the new ones. Now to give them all the shared firewall and install consul.

Makefile

@@ -65,11 +65,17 @@ plan:
 apply:
 	terraform -chdir=terraform apply
 
+# Docker
 images:
 	- docker image build . --file=docker/newsblur_base_image.Dockerfile --tag=newsblur/newsblur_python3
 	- docker image build . --file=docker/node/node_prod.Dockerfile --tag=newsblur/node_prod
 	- docker push newsblur/newsblur_python3
 	- docker push newsblur/node_prod
 
+# Tasks
 deploy:
 	- docker stack deploy --with-registry-auth -c stack-compose.yml dev-stack
+
+firewall:
+	- ansible-playbook ansible/provision.yml --tags firewallx -l db
+

ansible.cfg

@@ -4,8 +4,6 @@ remote_user = nb
 retry_files_enabled = False
 inventory = /srv/newsblur/ansible/inventories/digital_ocean.ini, /srv/newsblur/ansible/inventories/digital_ocean.yml
 private_key_file = /srv/secrets-newsblur/keys/docker.key
-publickey = /srv/secrets-newsblur/keys/docker.key.pub 
-# private_key_file = /srv/secrets-newsblur/keys/newsblur.key
 remote_tmp = ~/.ansible/tmp
 forks = 20
 

ansible.old.cfg

@@ -7,6 +7,7 @@ private_key_file = /srv/secrets-newsblur/keys/newsblur.key
 publickey = /srv/secrets-newsblur/keys/newsblur.key.pub 
 remote_tmp = ~/.ansible/tmp
 forks = 20
+deprecation_warnings=False
 
 [inventory]
 enable_plugins = ini, constructed

ansible/group_vars/NewsBlur.yml

@@ -0,0 +1,3 @@
+---
+ansible_ssh_private_key_file: /srv/secrets-newsblur/keys/newsblur.key
+ansible_ssh_user: sclay

ansible/group_vars/NewsBlur_Docker.yml

@@ -0,0 +1,3 @@
+---
+ansible_ssh_private_key_file: /srv/secrets-newsblur/keys/docker.key
+ansible_ssh_user: nb

ansible/inventories/all.yml

@@ -1,3 +1,5 @@
-[oldandnew]
-NewsBlur
-NewsBlur_Docker
+plugin: constructed
+strict: False
+
+groups:
+  oldandnew: group_names | intersect(["NewsBlur", "NewsBlur_Docker"])

ansible/inventories/digital_ocean.old.yml

@@ -7,9 +7,8 @@ groups:
   node: inventory_hostname.startswith('node')
   db: inventory_hostname.startswith('db')
   task: inventory_hostname.startswith('task')
-  search: inventory_hostname.startswith('db-elasticsearch')
-  elasticsearch: inventory_hostname.startswith('db-elasticsearch')
-  redis: inventory_hostname.startswith('db-redis')
-  postgres: inventory_hostname.startswith('db01')
-  mongo: inventory_hostname in ['db20d', 'db22', 'db23a', 'db30']
-  consul: inventory_hostname.startswith('db-consul')
+  search: inventory_hostname.startswith('search')
+  elasticsearch: inventory_hostname.startswith('search')
+  redis: inventory_hostname.startswith('db4')
+  postgres: inventory_hostname.startswith('db0')
+  mongo: inventory_hostname.startswith('db2') or inventory_hostname.startswith('db3')

ansible/inventories/digital_ocean.yml

@@ -4,7 +4,7 @@ strict: False
 groups:
   web: inventory_hostname.startswith('app')
   app: inventory_hostname.startswith('app')
-  work: inventory_hostname.startswith('work') and inventory_hostname != "work"
+  # work: inventory_hostname.startswith('work') and inventory_hostname != "work"
   node: inventory_hostname.startswith('node')
   # debug: inventory_hostname.startswith('debug')
   db: inventory_hostname.startswith('db')

ansible/provision.yml

@@ -1,19 +1,19 @@
 ---
 - import_playbook: setup_app.yml
-  when: "'app' in inventory_hostname"
+  when: "'app' in group_names"
 - import_playbook: setup_www.yml
-  when: "'www' in inventory_hostname"
+  when: "'www' in group_names"
 - import_playbook: setup_node.yml
-  when: "'node' in inventory_hostname"
+  when: "'node' in group_names"
 - import_playbook: setup_postgres.yml
-  when: "'postgres' in inventory_hostname"
+  when: "'postgres' in group_names"
 - import_playbook: setup_mongo.yml
-  when: "'mongo' in inventory_hostname"
+  when: "'mongo' in group_names"
 - import_playbook: setup_redis.yml
-  when: "'redis' in inventory_hostname"
+  when: "'redis' in group_names"
 - import_playbook: setup_elasticsearch.yml
-  when: "'elasticsearch' in inventory_hostname"
+  when: "'elasticsearch' in group_names"
 - import_playbook: setup_task.yml
-  when: "'task' in inventory_hostname"
+  when: "'task' in group_names"
 - import_playbook: setup_consul_manager.yml
-  when: "'consul' in inventory_hostname"
+  when: "'consul' in group_names"

ansible/roles/base/tasks/ufw.yml

@@ -31,13 +31,17 @@
   with_items:
     - 10.0.0.0/8
 
+- debug:
+    msg: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
+  tags: firewallx
+  
 - name: Allow all access from inventory hosts
   become: yes
   ufw:
     rule: allow
     src: '{{ item }}'
   with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: ufwall
+  tags: firewall
 
 - name: Start ufw
   ufw: state=enabled

ansible/setup_app.yml

@@ -1,11 +1,11 @@
 ---
 - name: SETUP -> app containers
   hosts: app
+  vars_files:
+    - env_vars/base.yml
   vars:
     - update_apt_cache: yes
     - motd_role: app
-  vars_files:
-    - env_vars/base.yml
     
   roles:
     - {role: 'base', tags: 'base'}

ansible/setup_postgres.yml

@@ -1,12 +1,12 @@
 ---
 - name: SETUP -> postgresql containers
   hosts: postgres
-  become: true
   vars_files:
     - env_vars/base.yml
   vars:
     - update_apt_cache: yes
     - motd_role: db
+
   roles:
     - {role: 'base', tags: 'base'}
     - {role: 'docker', tags: 'docker'}