diff options
| -rw-r--r-- | TODOs.org | 19 | ||||
| -rwxr-xr-x | scripts/ci/provision.sh | 27 |
2 files changed, 33 insertions, 13 deletions
@@ -80,6 +80,23 @@ A reasonable alternative would be to redeploy everything on a different node, wi In this situation, I if go on with automating the deployment I'd rather pick the downtime option. I'll start with other services other than email and consider alternatives later. +** DONE Correctly load the SSH keypair using =user_data= +CLOSED: [2019-06-05 Wed 18:16] +*** DONE Disable the =user_data= +CLOSED: [2019-06-05 Wed 17:39] +*** DONE Generate and manually copy the =user-data.env= file +CLOSED: [2019-06-05 Wed 17:39] +*** CANCELLED Run it on the system +*** DONE Run each step individually and check them +CLOSED: [2019-06-05 Wed 18:15] +Check the content of the generated key files. +*** DONE Try to login +CLOSED: [2019-06-05 Wed 18:15] +Problem was on file typo and private key permissions. + +Bonus: change SSH port +** TODO Test key rotation +See if it is actually working as expected. ** TODO Use Digital Ocean's Volumes for persistent extended storage ** TODO Make VPS provisioning more robust *** DONE Use Ansible (or an equivalent tool) instead of custom Bash scripts @@ -115,6 +132,7 @@ Right now, secrets are scattered between the two repositories. By moving I can c ** TODO Explicitly destroy Droplets before running Terraform apply? ** TODO Store updated =.tfstate= even in case of deployment failure Right now the script fails on Terraform commands before reaching git commands. I should trap the error, store on git and only then fail. +** TODO Fix alias in =bash-profile.sh= * Must ** Fully deployable from code Use NixOps and Terraform to fully automate all of the configuration. @@ -249,3 +267,4 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources. We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution. +* Scrath diff --git a/scripts/ci/provision.sh b/scripts/ci/provision.sh index 56e481a..4959c61 100755 --- a/scripts/ci/provision.sh +++ b/scripts/ci/provision.sh @@ -7,13 +7,14 @@ cd ../../ VPS_COMMIT_SHA="$(git rev-parse HEAD)" export VPS_COMMIT_SHA -echo "Shutting down running containers and backing up data..." -ssh "$TLD" "cd /home/vps/ && docker-compose down" -scp ./secrets/borg/borg_remote.pub "$TLD":/root/.ssh/id_rsa.pub -scp ./secrets/borg/borg_remote "$TLD":/root/.ssh/id_rsa -envsubst < ./scripts/box/run-backup.env.sh | ssh "$TLD" 'cat > /home/vps/run-backup.sh && chmod +x /home/vps/run-backup.sh' -ssh "$TLD" /home/vps/run-backup.sh -echo "Done." + +# echo "Shutting down running containers and backing up data..." +# ssh "$TLD" "cd /home/vps/ && docker-compose down" +# scp ./secrets/borg/borg_remote.pub "$TLD":/root/.ssh/id_rsa.pub +# scp ./secrets/borg/borg_remote "$TLD":/root/.ssh/id_rsa +# envsubst < ./scripts/box/run-backup.env.sh | ssh "$TLD" 'cat > /home/vps/run-backup.sh && chmod +x /home/vps/run-backup.sh' +# ssh "$TLD" /home/vps/run-backup.sh +# echo "Done." echo "Running 'terraform plan' and storing the planfile..." terraform --version @@ -47,9 +48,9 @@ echo "Running the Ansible playbook..." ansible-playbook provision.yaml echo "Done." -echo "Locking git-crypt repositories back..." -git crypt lock -pushd ../vps-state/ -git crypt lock -popd -echo "Done." +# echo "Locking git-crypt repositories back..." +# git crypt lock +# pushd ../vps-state/ +# git crypt lock +# popd +# echo "Done." |