Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Splitting Web Server and Database Server Roles
0:00 We've handled most of the first three steps that we've
0:02 set out to do here and next we are going to stand up
0:04 a web server on one of our two servers.
0:07 Couple things to note, one there are many
0:09 more steps we can take to harden
0:10 our server against malicious actors.
0:12 The purpose of this play book is not going to be
0:14 exhaustive and completely securing your environment.
0:17 These are good first steps but there's a lot more you can
0:19 learn about how to lock down linux servers.
0:22 In general though these are the first couple
0:23 steps that anyone is going to take.
0:25 Make sure it's ssh key only, log in, use
0:28 a non root user, set up the firewall
0:29 to disable any ports other than the ones
0:32 that are absolutely necessary.
0:34 Before we move into standing up a web server
0:36 and handling the web server infrastructure
0:38 let's create some tasks with the UFW module.
0:41 To start setting up the roles for
0:43 the web server and the database server.
0:47 And go under roles, under webserver
0:51 and create a tasks directory, and a templates directory.
0:56 And let's do the same thing under the database directory.
1:02 If we go under common under tasks
1:04 what I often do, copy in a couple
1:06 of YAML files as boiler plate.
1:10 Now head under webserver/tasks
1:13 let's modify main.yml
1:20 modify security.yml, and we don't
1:22 need to worry about the packages
1:25 because these are always going to be installed.
1:27 We know that the SSH port for 22 will be open
1:30 for us, we know that the firewall itself will be enabled
1:34 due to our tasks under common, so let's enable HTTP
1:42 and that will be port 80, and we'll do one more for
1:47 HTTPS, and that's port 443
1:50 so this will open up, just for the web server configuration
1:55 port 80, port 443.
1:57 We're going to want to do this one more time
2:00 so copy these two files, and we're going to put
2:03 them under the database server.
2:07 Let's change into the database task directory
2:12 modify main.yml
2:21 And we're going to use port 5432
2:27 as the default port for Postgres.
2:33 Alright, now we want to test all this out again
2:35 one more thing we need to modify webserver.yml
2:38 to make sure that we're applying the web server role.
2:47 Now we see that it enabled HTTP
2:49 and HTTPS access as we specified under
2:58 Now if we want to handle the database
2:59 there's a couple ways we could do this
3:01 we could modify webserver.yml
3:03 so that it applies to both the web server
3:05 and the database server, or we could create
3:07 a separate file and execute the playbook separately.
3:11 I like to keep as much of my configuration
3:13 in a single file as possible, so we're
3:15 going to modify this file here
3:20 and we'll rename it
3:24 once we get the new configuration in.
3:35 So now let's rename webserver.yml
3:45 and we'll kick this off instead of
3:47 webserver.yml, webanddatabase.yml.
3:58 This will likely take a little bit longer because
3:59 the database server hasn't had those packages installed yet.
4:08 Alright, we can see that it is finished
4:09 and it has enabled postgres access on the database server.
4:13 So now we have our firewall, rules set
4:15 depending on whether a server is a web server
4:17 or it's a database server, and we can expand that
4:20 model how ever many types of roles
4:22 for servers that we have in our deployment.