49 lines
1.5 KiB
Markdown
49 lines
1.5 KiB
Markdown
# 🔧 Server Convergence
|
|
|
|
After provisioning servers with Terraform, RailianceHosts uses **Ansible** to bring them into a secure and usable baseline state.
|
|
This process is called **convergence**.
|
|
|
|
## What Convergence Does
|
|
|
|
When you run `make converge`, Ansible connects to all declared hosts and applies baseline roles:
|
|
|
|
- **User setup** → ensures the `admin` user exists with your SSH key and passwordless sudo
|
|
- **Firewall** → configures `ufw` with sensible defaults (deny incoming, allow SSH)
|
|
- **Hardening** → basic SSH daemon hardening, disable root login, disable password auth
|
|
- **Tooling** → installs essential packages (htop, vim, git, curl, fail2ban, etc.)
|
|
- **SOPS agent** → ensures decryption tooling (`age`, `sops`) is available on the host
|
|
|
|
## Running Convergence
|
|
|
|
```bash
|
|
make converge
|
|
```
|
|
|
|
This will:
|
|
1. Decrypt secrets locally (with your age key)
|
|
2. Run the Ansible playbooks against all hosts in your `inventory/servers.yaml`
|
|
3. Apply the baseline security and tooling configuration
|
|
|
|
## Verifying
|
|
|
|
Once convergence completes, you can test:
|
|
|
|
```bash
|
|
ssh admin@<server-ip>
|
|
|
|
# Check sudo access without password
|
|
sudo -n true && echo "✔ sudo OK"
|
|
|
|
# Firewall status
|
|
sudo ufw status
|
|
|
|
# Installed tools
|
|
htop --version
|
|
```
|
|
|
|
## Notes
|
|
|
|
- Convergence is **idempotent**: re-running it will not break your server.
|
|
- Only your workstation (control node) needs the age private key; hosts never see it.
|
|
- Additional roles (e.g. WireGuard, Kubernetes, apps) can be layered later.
|