{"id":28591559,"url":"https://github.com/monarc-project/ansible-ubuntu","last_synced_at":"2025-10-04T04:59:34.927Z","repository":{"id":52201943,"uuid":"97116138","full_name":"monarc-project/ansible-ubuntu","owner":"monarc-project","description":"Deployment of MONARC with Ansible","archived":false,"fork":false,"pushed_at":"2025-02-14T08:47:11.000Z","size":1404,"stargazers_count":2,"open_issues_count":1,"forks_count":5,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-06-11T09:57:01.516Z","etag":null,"topics":["ansible","monarc","monarc-architecture","python"],"latest_commit_sha":null,"homepage":"","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/monarc-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-07-13T11:41:57.000Z","updated_at":"2025-02-14T08:47:14.000Z","dependencies_parsed_at":"2023-02-14T08:20:25.527Z","dependency_job_id":"2778d763-93a6-41cd-8568-23dc293ada28","html_url":"https://github.com/monarc-project/ansible-ubuntu","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/monarc-project/ansible-ubuntu","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monarc-project%2Fansible-ubuntu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monarc-project%2Fansible-ubuntu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monarc-project%2Fansible-ubuntu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monarc-project%2Fansible-ubuntu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/monarc-project","download_url":"https://codeload.github.com/monarc-project/ansible-ubuntu/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monarc-project%2Fansible-ubuntu/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278266897,"owners_count":25958733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","monarc","monarc-architecture","python"],"created_at":"2025-06-11T09:36:10.552Z","updated_at":"2025-10-04T04:59:34.901Z","avatar_url":"https://github.com/monarc-project.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible playbook for MONARC deployement\n\nThis playbook is used to deploy the whole MONARC architecture in accordance to\nthe figure below.\n\n![MONARC architecture](images/monarc-architecture.png \"MONARC architecture\")\n\n\n### Ansible roles\n\nThere are three main roles, described below.\n\n### monarcco\n\nCommon tasks for the front office and the back office.\n\n### monarcbo\n\n[Backoffice](https://github.com/monarc-project/MonarcAppBO).\n\n### monarcfo\n\n[Frontoffice](https://github.com/monarc-project/MonarcAppFO).\nCan be multiple installation per client to balance to the load.\n\n### extra roles\n\n`role-apache2` and `role-certbot` are extra generic utility roles\n\n## Requirements\n\n* Python 3 on all servers;\n* [Ansible](https://www.ansible.com/) must be installed on the configuration\n  server;\n* [PyMySQL](https://pypi.org/project/PyMySQL) on the BO and the FO; installed\n  through role `monarcco`\n* Postfix on the BO and all FO servers (for the password recovery feature of\n  MONARC).\n\n\nPython 3 should be the default on the system. For example:\n\n```bash\n$ python --version\nPython 3.10.0\n```\nThese roles have been tested with Ansible 2.9.6 - as shipped by default with\nUbuntu 20.04; you can use the packaged version or another more recent version\n(from pip, poetry, virtualenv, ...)\n\nGet the playbook for MONARC and install Ansible on the configuration server:\n\n```bash\n$ git clone https://github.com/monarc-project/ansible-ubuntu.git\n$ cd ansible-ubuntu/\n```\n\nPoetry is not mandatory but convenient to manage the dependencies. Installation\nis described [here](https://github.com/python-poetry/poetry#installation=).\n\n```bash\n$ poetry install\n$ poetry shell\n```\n\n## Configuration\n\n### SSH\n\n* create a user named *ansible* on each server:\n  * ``sudo adduser ansible``\n* generate a SSH key for the user *ansible* on the configuration server:\n  * ``ssh-keygen -t rsa -C \"your_email@example.com\"``\n* from the configuration server:\n  * ``ssh-copy-id ansible@BO``\n  * ``ssh-copy-id ansible@FO``\n  * ``ssh-copy-id ansible@RPX``\n\nAt that point you can check that it is possible to connect from the\nconfiguration server to the other servers without having to enter a password.\n\n### Unix groups\n\n* add the user *ansible* in the *sudo* group:\n  * ``sudo usermod -aG sudo ansible``\n* give the permission to ansible to use sudo without password:\n  * add ``ansible ALL=(ALL:ALL) NOPASSWD:ALL`` in the file */etc/sudoers* with *visudo*\n\n\n### Ansible\n\n* create a configuration file, _inventory/hosts_ with your own configuration:\n\n```ini\n[all:vars]\nansible_python_interpreter=/usr/bin/python3\n\n# comment if you don't need a proxy\nhttp_proxy=\"http://fqdn:3128/\"\nhttps_proxy=\"http://fqdn:3128/\"\n# docker config for statsservice\ndocker_config_bip=\"100.100.0.1/22\"\ndocker_config_proxy=\"{{ http_proxy }}\"\n\n[monarc:vars]\nenv_prefix=\"\"\npublicHost=\"my.monarc.lu\"\nmaster=\"monarc-master.internal.monarc.lu\"\nmonarc_statsservice_admin_token=\"\u003csecret\u003e\"\nmonarc_statsservice_secret_key=\"\u003csecret\u003e\"\nmonarc_statsservice_url=\"https://{{ publicHost }}/dashboard\"\nmonarc_statsservice_port=5005\n\ntwoFactorAuthEnforced=\"true\"\n\nisDefaultExportWithAssessments=\"false\"\nisCaptchaEnabled=\"true\"\ncaptchaFailedLoginAttempts=3\n\nemailFrom=\"no-reply@{{ publicHost }}\"\nprotocol=\"https\"\nbourlalias=\"monarcbo\"\n\n# front office systems\n[dev]\nmonarc-fo1.internal.monarc.lu\nmonarc-fo2.internal.monarc.lu\n\n# master / back office\n[master]\nmonarc-master.internal.monarc.lu monarc_sql_password=\"\u003csecret\u003e\"\n\n# public facing reverse proxy\n[rpx]\nmonarc-rpx.internal.monarc.lu\n\n[monarc:children]\nrpx\nmaster\ndev\n\n```\n\nA good test for connectivity and Ansible configuration would be to call\n`ansible -m ping`; you should get an answer from all the FrontOffice servers,\nthe BackOffice and reverse proxy (rpx).\n\nIn the section ``[dev]``, ``monarc-fo1.internal.monarc.lu`` should be resolved\nby the internal DNS. It is the internal name of the FrontOffice server. Same\nfor the other servers. If you can not change the internal DNS, it is possible\nto handle this thanks to the file ``/etc/hosts`` of the system.\n\nThe variable `monarc_sql_password` is the password for the SQL database on the\nBackOffice. Ansible will use it in order to create a new SQL user on the back\noffice with the corresponding databases.\n\nFinally, launch Ansible from the `playbook` directory:\n\n```bash\nansible@CFG:~/ansible-ubuntu/playbook$ ansible-playbook --diff monarc.yml\n```\n\nAnsible will install and configure the back office, the front office(s) and the\nreverse proxy. Consequently the configuration server should be able to contact\nthese servers through SSH. For more details on how to execute Ansible read the\nnext section.\n\n\n\n\n## Notes\n\n### Updating the inventory of Ansible\n\nAdding/removing a client to/from the Ansible inventory can be done with the\nscript `update.sh` via cron as the user `ansible`.\n\n```bash\nansible@CFG:~$ crontal -l\n0 *  * * *  /home/ansible/ansible-ubuntu/playbook/update.sh /home/ansible/ansible-ubuntu/playbook/ $BO_ADDRESS `which ansible-playbook` `which python3`\n```\n\nOptionally as a fourth argument you can specify the Python executable\n(environment) to use.\nThis is an example. Below is a real world example:\n\n```bash\nansible@monarc2-conf:~/ansible-ubuntu$ poetry env info\n\nVirtualenv\nPython:         3.9.12\nImplementation: CPython\nPath:           /home/ansible/.cache/pypoetry/virtualenvs/ansible-ubuntu-EcXl-2U4-py3.9\nValid:          True\n\nSystem\nPlatform: linux\nOS:       posix\nPython:   /usr\n\n\n\nansible@monarc2-conf:~/ansible-ubuntu$ crontab -l\n# Edit this file to introduce tasks to be run by cron.\n# \n# Each task to run has to be defined through a single line\n# indicating with different fields when the task will be run\n# and what command to run for the task\n# \n# To define the time you can provide concrete values for\n# minute (m), hour (h), day of month (dom), month (mon),\n# and day of week (dow) or use '*' in these fields (for 'any').# \n# Notice that tasks will be started based on the cron's system\n# daemon's notion of time and timezones.\n# \n# Output of the crontab jobs (including errors) is sent through\n# email to the user the crontab file belongs to (unless redirected).\n# \n# For example, you can run a backup of all your user accounts\n# at 5 a.m every week with:\n# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/\n# \n# For more information see the manual pages of crontab(5) and cron(8)\n# \n# m h  dom mon dow   command\n#0 * * * * /home/ansible/ansible-ubuntu/playbook/update.sh /home/ansible/ansible-ubuntu/playbook/ 172.18.13.71 /home/ansible/.cache/pypoetry/virtualenvs/ansible-ubuntu-EcXl-2U4-py3.9/bin/ansible /home/ansible/.cache/pypoetry/virtualenvs/ansible-ubuntu-EcXl-2U4-py3.9/bin/python\n```\n\nInstead of an IP you can use a name of the BO if it resolves internally.  \nAs you can see we have used the full path to the ansible executable. This is\nto be sure that the script will use the correct version of Ansible.\n\nThe frequency of the task defined by cron is up to you.\n\n\n\nThe script ``update.sh`` will:\n\n* update the inventory of Ansible;\n* launch Ansible for the creation/suppression of clients;\n* synchronize the template of deliveries.\n\nThe `add_inventory.py` and `del_inventory.py` scripts are used to dynamically\nedit the inventory files of the configuration server. These scripts are used by\n``update.sh``.\n\nYou can use `list_inventory.py` to check all the current clients in the\ninventory of Ansible. If you want to check the connectivity between the\nconfiguration server and the front office servers:\n\n```bash\nansible@CFG:~$ ./list_inventory.py ../inventory/ | cut -f 1 -d ' ' | uniq | xargs -n 1 ping -w 1\n```\n\n\n\n### TLS certificate\n\n#### Self-signed certificate\n\nGeneration of the certificate:\n\n```bash\n# openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout /etc/sslkeys/monarc.key -out /etc/sslkeys/monarc.crt\n```\n\nAnd then edit `playbook/monarc.yml` to set `SSLCertificateFile:` and\n`SSLCertificateKeyFile:`, you **must** certbot support by setting\n`certbot_enabled: false`\n\n#### Let's Encrypt certificate\n\nBy default the playbook will attempt to generate a X509 (\"https\") certificate\nusing certbot and Let's Encrypt.\n\nYou don't need to set anything but you reverse proxy need an access to Let's\nEncrypt API servers - if you set up `http_proxy` values in inventory the\ncertbot role will perform the right config for the renewal\n\nThe value of `emailFrom` will be used for the contact email while registering\nthe account with Let's Encrypt.\n\n### Postfix\n\nInstallation of Postfix on the BO and the FO is **not done** by Ansible. You\nhave to do it manually.\n\n## Issues\n\nFor security issues please contact us to\n[info@cases.lu](mailto:info@cases.lu?subject=MONARC).\n\nFor other issues (ideas, improvements, etc.), you can directly submit\nit to [GitHub](https://github.com/monarc-project/MonarcAppFO/issues)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonarc-project%2Fansible-ubuntu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmonarc-project%2Fansible-ubuntu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonarc-project%2Fansible-ubuntu/lists"}