IoC for kamailio deb building infra
apt install awscli/etc/apt/sources.list.d/opentofu.list
deb [signed-by=/etc/apt/keyrings/opentofu.gpg,/etc/apt/keyrings/opentofu-repo.gpg] https://packages.opentofu.org/opentofu/tofu/any/ any main
deb-src [signed-by=/etc/apt/keyrings/opentofu.gpg,/etc/apt/keyrings/opentofu-repo.gpg] https://packages.opentofu.org/opentofu/tofu/any/ any main
apt install tofuI use virtualenvwrapper:
apt install virtualenvwrapperJust generate a virtual environment for ansible
mkvirtualenv ansibleAnd use workon before to activate the virtualenv and install requirements
workon ansible
cd ami/ansible
ansible-galaxy collection install -f --upgrade -r collections/requirements.yml
ansible-galaxy role install -f -r roles/requirements.ymlcd ami
packer init .
packer build -var "environment=dev" slave.pkr.hclPACKER_LOG=1 PACKER_LOG_PATH=/tmp/packer.log packer build -var "environment=dev" slave.pkr.hclgroup_vars and host_vars files are encrypted using SOPS
Protecting Ansible secrets with SOPS
We need the EC2 user keys before generating the AMI. global environmnet has to be deployed first,
see README.tf for more details.
cd environment/development
tofu init -upgrade
tofu plan
tofu apply -target local_file.admin_development -target local_file.admin_development_pubUpdate all.secrets.yml values and encrypt with sops:
- jenkins_master_jenkins_ssh <= environment/development/keys/admin_development.pem content
- jenkins_master_jenkins_ssh_pub <= public_key_openssh output
cd ami/ansible
sops --encrypt inventory_dev/group_vars/all.secret.yml > inventory_dev/group_vars/all.sops.ymlapt install pre-commit
pre-commit installThis has to be executed just once when jenkins-master instance gets created. Execute ansible with deb_certbot_create as true:
cd ami/ansible
workon ansible
ansible-playbook --inventory=inventory_dev/inventory main.yml --extra-vars='{"deb_certbot_create":true}'