path: root/README.md

# liz.coffee infra

A collection of playbooks to deploy the liz.coffee infra

## Prerequisites

- `ansible`
- `yamllint`
- `ansible-lint`
- an ssh key accepted on each line in the `inventory`

## Setup

### Vault

Secrets are managed via `ansible-vault`. Initialize or update your vault
with new secrets via our custom `./ansible-vault-init.sh` script.

Additionally if you want to only update a single secret, use
`./ansible-vault-init.sh <secret_name>`.

If you don't want to be prompted to enter your password every time you
deploy something, put your password as plain text into `secrets.pwd` as
a single line in the root src directory:

```bash
echo "<your_password>" > secrets.pwd
```

Then you can add `--vault-password-file secrets.pwd` each time you run a
deployment (or you know, use `pass` or something if you're paranoid).

### Pre-commit hooks

1. clone the repo

   ```bash
   git clone git@git.liz.coffee:liz.coffee/infra
   cd infra
   ```

2. add a pre-commit hook

   ```bash
   cd .git/hooks
   touch pre-commit
   ```

3. insert into `pre-commit` the following contents:

   ```bash
   #!/bin/sh

   set -e

   # lint yaml files
   echo "running yamllint..."
   yamllint --strict .

   # follow ansible best-practices
   echo "running ansible-lint"
   ansible-lint
   ```

4. make it executable
   ```bash
   chmod +x pre-commit
   ```

## Running

`ansible-playbook -e @secrets.enc deploy.yml` will run each respectively added playbook in `deploy.yml`
using the vault intialized in the previous steps.

Though in development, one should be testing individual playbooks, and `deploy.yml`
should be left for an idea of general order of things, or for a
full deployment after testing.

NOTE: It is highly advised to run `ansible-playbook` in an `ssh-agent` session to avoid retyping your password over and over. Something along the lines of:

```bash
ssh-agent $(echo $SHELL)
ssh-add ~/.ssh/<private-key>
```