Create two sets of ssh keys:
- One for connecting the the web and database server. With passphrase.
- One for connecting to github to pull / clone the repo (ie: deploy key). Without passphrase.
ssh-keygen -t rsa -b 4096 -C [email protected]- Copy the public server key onto the servers (either automatically, eg: upon Digital Ocean droplet creation) or manually to
/home/{{ deploy_user }}/.ssh/authorized_keys - Save the public deploy key on github in the relevant repo as a deploy key.
Login to servers once to add them to allowed hosts:
ssh -i ~/.ssh/{{ ssh_key_name }} root@web_server_ip
ssh -i ~/.ssh/{{ ssh_key_name }} root@database_server_ipAdd ssh identity locally so that passphrases don't get asked for repeatedly:
ssh-add ~/.ssh/{{ ssh_key_name }}pipenv install
pipenv shellThese files must remain encrypted when committing to source control:
group_vars/allroles/webserver/templates/django_settings.py
The default password is test
For new projects, decrypt these files and then re-encrypt them with a new password:
ansible-vault decrypt group_vars/all
ansible-vault encrypt group_vars/all
ansible-vault decrypt roles/webserver/templates/django_settings.py
ansible-vault encrypt roles/webserver/templates/django_settings.pyOnce the new password has been set, do not decrypt it. Rather edit it as follows which keeps the file encrypted between edits without risk of committing plain text to source control:
EDITOR=nano ansible-vault edit group_vars/allAn encrypted password for deploy_user_encrypted_password can be created using:
mkpasswd --method=sha-512Check roles/webserver/tasks/dependencies.yml and update depending on whether Poetry or Pipenv is being used
ansible-playbook ./init_config.yml --ask-vault-pass --private-key=~/.ssh/{{ ssh_key_name }} -i hostsansible-playbook ./web_and_database.yml --ask-vault-pass --private-key=~/.ssh/{{ ssh_key_name }} -i hostsansible-playbook ./web_and_database.yml --ask-vault-pass --private-key=~/.ssh/{{ ssh_key_name }} -i hosts --start-at-task="clone or pull latest code"