Introduction to Ansible Transcripts
Chapter: Configuring Servers
Lecture: Splitting Web Server and Database Server Roles
0:00 We've handled most of the first three steps that we've set out to do here and next we are going to stand up a web server on one of our two servers.
0:08 Couple things to note, one there are many more steps we can take to harden our server against malicious actors.
0:13 The purpose of this play book is not going to be exhaustive and completely securing your environment.
0:18 These are good first steps but there's a lot more you can learn about how to lock down linux servers. In general though these are the first couple
0:24 steps that anyone is going to take. Make sure it's ssh key only, log in, use a non root user, set up the firewall
0:30 to disable any ports other than the ones that are absolutely necessary. Before we move into standing up a web server
0:37 and handling the web server infrastructure let's create some tasks with the UFW module. To start setting up the roles for
0:44 the web server and the database server. And go under roles, under webserver and create a tasks directory, and a templates directory.
0:57 And let's do the same thing under the database directory. If we go under common under tasks what I often do, copy in a couple
1:07 of YAML files as boiler plate. Now head under webserver/tasks let's modify main.yml modify security.yml, and we don't need to worry about the packages
1:26 because these are always going to be installed. We know that the SSH port for 22 will be open for us, we know that the firewall itself will be enabled
1:35 due to our tasks under common, so let's enable HTTP and that will be port 80, and we'll do one more for HTTPS, and that's port 443
1:51 so this will open up, just for the web server configuration port 80, port 443. We're going to want to do this one more time
2:01 so copy these two files, and we're going to put them under the database server. Let's change into the database task directory modify main.yml
2:22 And we're going to use port 5432 as the default port for Postgres. Alright, now we want to test all this out again
2:36 one more thing we need to modify webserver.yml to make sure that we're applying the web server role. Now we see that it enabled HTTP
2:50 and HTTPS access as we specified under roles/webserver/tasks/security.yml. Now if we want to handle the database there's a couple ways we could do this
3:02 we could modify webserver.yml so that it applies to both the web server and the database server, or we could create
3:08 a separate file and execute the playbook separately. I like to keep as much of my configuration in a single file as possible, so we're
3:16 going to modify this file here and we'll rename it once we get the new configuration in.
3:36 So now let's rename webserver.yml webanddatabase.yml and we'll kick this off instead of webserver.yml, webanddatabase.yml.
3:59 This will likely take a little bit longer because the database server hasn't had those packages installed yet. Alright, we can see that it is finished
4:10 and it has enabled postgres access on the database server. So now we have our firewall, rules set depending on whether a server is a web server
4:18 or it's a database server, and we can expand that model how ever many types of roles for servers that we have in our deployment.