New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add: ansible playbook for configuring new caching content servers #4
Conversation
65cc127
to
dc397f3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice :D
Bunch of comments, most because I wasn't sure if you remembered these requests on IRC or if they got lost in the void :) So just a kind reminder we need those before we can go live with this :)
Regarding IPv6, as mentioned on IRC:
https://docs.ovh.com/gb/en/vps/configuring-ipv6/#persistent-application-on-debian-and-its-derivatives-ubuntu-crunchbang-steamos
URLs to test with:
https://bananas.cdn.staging.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
https://bananas.cdn.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
So valid URLs should also be:
https://bananas-1.cdn.staging.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
https://bananas-1.cdn.openttd.org/base-graphics/4f474658/99ef7df70a3fe95f0f9da6dcb5e63444/FOR-TESTING-ONLY.tar.gz
And same for http
instead of https
and 2
instead of 1
:)
This is OpenGFX, so we can just publicly announce the md5sum :D
Shouldn't we also provision |
dc397f3
to
ce6c678
Compare
We can do, if you'd like to do user management via ansible as well - I wouldn't want everyone to share the debian user in that case. I was kinda avoiding it and just using the debian user. |
I would like to avoid if only 1 person has access to the VPSes. We used to share the password to it, but .. that is these days not the best thing to do :D So any form of having more than 1 person with access would be my preference. Personally, I wouldn't care if that is the Cheers for the other changes! |
ce6c678
to
c95e0be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor things, mostly this looks fine to me :)
c93e618
to
f694797
Compare
f694797
to
1058349
Compare
Tested:
So LGTM. Things worth considering:
|
What sort of firewall are you considering? ufw? It's already running nftables as part of sshguard, could make use of that Seems reasonable to drop those headers if they're not useful, but I've no idea what they're for or if they matter |
I dunno ... pick one? I personally would just slam in some Regarding the headers, they are AWS headers, and can be dropped safely, without any issue. They just indicate which server responded to the request, so you can trace problems (if any). The |
I'd use iptables too! I only found out about nftables after looking into why sshguard wasn't working as i was expecting Removing cache headers seems the way to go, I presume it's easy enough to do |
1058349
to
fba94c9
Compare
Done. I think. I had to do some manual "recovery" work along the way, so I can't be quite certain that the playbook would all work from a "completely clean" install, but it's basically right. (If you reset one of them for me, I'm happy to try!) Firewall implemented with firewalld & nftables (shiny and new!). Only required a small amount of stuff installed from buster-backports to make it work :) . Tested by running an http server on port 8000 and disabling the firewall. Even remembered to allow DHCP before the lease expired and everything fell over! Cache headers removed as well - remaining:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Nice job :D
First pass. Everything runs successfully, but further changes are probably required.
Still to do: