Group and Host Variables - HeliumEdu/deploy GitHub Wiki

The ansible/group_vars and ansible/host_vars folders can contains definitions for Ansible's inventory. Configurations for non-dev environments are ignored in Git so they do not get committed by accident.

The group_vars folder should contain a committed copy of all.yml, inventory items that are applicable to all environments, and devbox.yml.example, an example inventory file that also works with the supplied Vagrant configuration. To get started, rename devbox.yml.example to devbox.yml.

Note that credentials to third-party services (for example, AWS services like SES) need to be set in the devbox.yml file before those services will work properly (see here for an AWS setup guide). Do NOT commit real credentials to third-party services, even in example files.

Making a New Inventory Configuration

Aside from the obvious updates that need to be made to any host or credentials variable (note that most hosts in devbox.yml.example end in .test), these are variables should be updated when configuring a new group.

  • environment should match the name of the group; it is used as a prefix or suffix for server variables (for instance, the name of a datastore) to distinguish between environments
  • Any secret or key should be regenerated; do NOT reuse these between environments
  • helium_host should be updated to reflect the domain of the new environment
  • platform_host_protocol and platform_ssl along with frontend_host_protocol and frontend_ssl should be updated if the new group supports SSL
  • letsencrypt_ssl can be added and set to True if you want to auto-generate and renew SSL certificates and your hosts are resolvable externally
  • project_serve_local, PROJECT_SERVE_LOCAL, and PROJECT_DISABLE_EMAILS should be removed from non-dev environments, as they fallback on safe defaults
  • platform_num_workers, the number of Celery Supervisor workers that will be deployed on the worker node, should be added and likely increased in production environments (the default is 2 if not set)
  • If platform is going to be deployed in two clusters (one for web nodes, one for worker nodes, as they utilize the same codebase), be sure to use - { role: helium-platform, web_node: False } for the worker node configuration

Note that if the new inventory calls for SSL but does not use Let's Encrypt as described above, the following corresponding SSL files will need to be in ansible/private/ssl:

  • apache.{{ domain_environment }}.{{ host }}.crt
  • apache.{{ domain_environment }}.{{ host }}.key
  • apache.{{ domain_environment }}.{{ host }}.ca-bundle