I propose we organize the ansible securedrop-club by following the following conventions:
all the infrastructure is deployed with ansible-playbook playbook.yml at the top level
playbook.yml at the top level only contains includes to playbooks in molecule. In the example below, it means the molecule/postfix/playbook.yml must be split in two. postfix-playbook.yml which is used for deployment and test-postfix-client-playbook.yml which is only relevant for testing.
roles contains home made roles
roles-external contains third party roles
in each molecule/*/roles directory only roles that are strictly necessary are symlinked to the top level roles and roles-external directories. This hopefully helps figure out the role dependencies.
Looking good! Thanks for sharing the strategy youβre using.
Why use another nested roles directory at molecule/postfix/roles? Personally, I prefer to have external roles locked to specific versions via git submodules in the top-level roles-external/ directory. Then the roles will be reusable for all scenarios and playbooks, and guarantee consistent behavior. If youβre running the playbooks via Molecule, then you may need to futz with the roles_path setting in ansible.cfg to ensure Molecule finds the roles.
Nice use of the debops work. Thatβs a project Iβve had an eye on for a long time, and while we do not use it internally yet, it seems very attractive. It would likely take a lot of work to migrate our entire infra repository to use debops, and debops feels like an βall-inβ configuration strategy, meaning itβs difficult to use just select portions of it, rather than switching to it entirely as an Ansible wrapper. Would like to hear more about how you find its usage together with Molecule.
We followed your example regarding the roles and roles-external at the top level. I meant write symlinked to the top level roles and roles-external directories instead of copied, sorry for the confusion. It would indeed be unnecessary to copy the roles in each molecule subdirectory
Thatβs exactly the reason why I hesitated to use it for the postfix role. What bothered me most is the requirement on the firewall. But since weβre using firewalls that are outside of the VM control, there wonβt be conflicts there. The rest is not too intrusive. It did not cause trouble with molecule testing and did not interfere with the other roles we re-use. So far so good, fingers crossed and all that
I pushed a reorganized repository@fpoulain make sure you get it before starting anything, things moved around I removed the obsolete molecule/icinga directory and your molecule/monitoring_client has been renamed molecule/icinga, which makes more sense.
Ok. Moreover, since deploy_dummy_monitoring_objects is a dummy role (here in a testing context, not going to be reused, although it may provides some snippets) which makes only sense in the context of molecule/icinga, we should move it there.
I wonder where does monitoring stuff should go. For internal roles, I started to add a task list name monitoring.yml. Example given in roles/weblate/tasks.
For the postfix role, I appended monitoring stuff to main.yml but imho it should moves to an included file.
Some monitoring configurations may be specifics to a given scenario. Then it is easy to add a specific role (like deploy_dummy_monitoring_objects for the icinga scenario).
For external roles, I canβt do this without forking the submodule, and thatβs not what we want. Does git allow a kind of overlay over submodules? Or have we to create specific monitoring roles to be called from scenario playbooks?
I think it would make sense to have a monitoring_client role that some playbooks can use, rather than having a file inside the role. Thatβs what I did for the firewall for instance. Maybe thatβs exactly when you meant by I started with specific monitoring role.
The proposed organization where all molecules/*/roles directories have symlinks is inconvenient to maintain. The higher level roles (like weblate) have symlinks to the low level roles (like firewal) and thatβs a lot of duplications.
Iβll try something else instead, which is what Mike and @conorsch did in SecureDrop: setting
We have some redundancy in maintaining the list of directories in which roles are stored. But much less than symlinking each role. I realized how tedious it would be when splitting the firewall role out of the vm role. I had to create a symlink in all molecule/*/roles directory because they all indirectly depend on it.