make targets, Droplets, and Aegir, oh my!

5 minute read Published: 11 Dec, 2024 Author: Derek Laventure
Cloud , Infrastructure , Ansible , Aegir , Drupal Planet

You are reading our blog series: Pure Ansible Infrastructure

Toward infrastructure simplicity
Drumkit and other plumbing
Dynamic inventory
Variables and Vault
Playbooks and support infrastructure
Building Ansible Collections
make targets, Droplets, and Aegir, oh my! (You are here)

We’ve done it! Over the last 6 posts, we’ve reviewed in detail all the major components of our simplified Infrastructure-as-Code (IaC) setup, and we’re ready to pull it all together to spin up an Aegir3 instance.

With the pieces we have covered so far, we can run the following to get up the point of actually installing Aegir:

pipenv shell  # Activate venv
source d      # Bootstrap Drumkit
make tools    # Install Ansible and Galaxy dependencies
make infra    # Run playbooks/infra/00-up.yml

This will get us a Project, a VPC, and a Firewall at DigitalOcean, configured with the names and settings we’ve described in our previous posts. To get from here to a working Aegir, all we need is a host Droplet, standard LEMP stack dependencies, and then Aegir itself.

Aegir0 (host)

First of all, let’s use our consensus.infra.droplet role to create our host Droplet, and wrap a make aegir-droplet target to run the playbook playbooks/hosts/aegir0.yml:

---
- name: aegir Droplet
  hosts: localhost
  gather_facts: true
  vars:
    droplet_hostname: aegir0
    droplet_domain: cloudcity.dev
    droplet_project: "{{ do_project_name }}"
    droplet_firewall: "{{ web_droplet_firewall }}"
    droplet_tags: ["web", "aegir"]
    droplet_size: "s-2vcpu-2gb"
    droplet_vpc: "{{ do_vpc_name }}"
    outgoing_email_password: "{{ vaulted_outgoing_smtp_password }}"
    outgoing_email_default: "{{ org_technical_contact_email }}"
    oauth_token: "{{ vault_do_api_token }}"
    gandi_token: "{{ vaulted_gandi_access_token }}"
  roles:
    - consensus.infra.droplet

As discussed previously, the Droplet-specific vars are embedded directly in the playbook here, because we don’t have a manifest or other registry to logically place these. This playbook (and others in playbooks/hosts) become the de facto manifest for the project.

Aegir3

Now that we have a host, we can target it with a playbooks/apps/aegir.yml playbook to call our consensus.aegir.aegir role, and introduce our make aegir-app target.

This playbook has some conditional checks before and after to ensure everything works correctly, but ultimately boils down to this:

---
- name: "End-to-end Aegir 3 build from git source."
  hosts: aegir
  gather_facts: true

  roles:
    - role: geerlingguy.mysql
      become: True
    - role: geerlingguy.nginx
      become: True
    - role: geerlingguy.php-versions
      become: True
    - role: geerlingguy.php
      become: True
    - role: geerlingguy.composer
      become: True
    - role: consensus.aegir.aegir
      become: True

We simply run a series of roles in sequence, building up the stack of software to support Aegir, and then finally Aegir itself.

make aegir

Tying the two previous playbooks together, we can implement a make aegir target simply:

aegir: aegir-droplet aegir-app

aegir-droplet:
        ansible-playbook playbooks/hosts/aegir0.yml

aegir-app:
        ansible-playbook playbooks/apps/aegir.yml

Added to the steps at the top of this post, this new target will complete the provisioning of an Aegir3 instance at DigitalOcean.

Note that drumkit/mk.d/30_aegir.mk also has “down” variants of these targets as well:

make aegir-down - deregister from Tailscale and destroy the Droplet
make aegir-ts-down - only deregister from Tailscale (do not destroy Droplet)
make aegir-droplet-down - only destroy the Droplet (in case Tailscale is already offline)

A note about SSL: you will note that the playbooks and roles involved here DO NOT provision SSL certificates of any kind for the Aegir instance. I’ve left this piece out here for two reasons:

There are many ways to achieve this, and we don’t need it for our purposes
Even with SSL, your Aegir3 instance shouldn’t be exposed to the public internet anyway, since it’s based on Drupal 7.

NB Please take care to properly secure your Aegir3 instance, as running Drupal 7 which is EOL! This could be by adding firewall rules, or reconfiguring your Nginx virtualhost to listen on your Tailscale interface, or similar.

Also, if you’re not aware, Aegir5 is our effort to modernize Aegir based on modern Drupal with an Ansible-driven backend. This will be a secure replacement for Aegir, but since it’s not production-ready yet, we’re using Aegir3 as a stopgap for the time being.

Simplicity unlocked

Over the years, we at Consensus have wrangled with a lot of necessary complexity. The nature of the problems we tend to help our clients solve often means it’s unavoidable. In that context it’s especially useful to stay focused on keeping things as simple as possible, ensuring we don’t make things worse by piling extra complexity on top of the inevitable stuff.

The process of simplifying our internal infrastructure has been a great example of radical simplification. We’ve already seen a reduction in costs, both financial and operational. Our infrastructure team is reinvigorated by the ease of interacting with our new suite of servers, inspired to use and extend them.

To review:

We dropped Terraform, which is a great tool but represented unnecessary complexity in our context.
We replaced a custom-built Wireguard server with Tailscale.
We split our DEV and PROD environments into distinct repositories.
We published key components of the solution to share between DEV and PROD.
We built up a simple codebase structure to house infrastructure, host, and application playbooks.
We used Drumkit to provide easy target commands to accomplish key workflow tasks.

I hope this series has illustrated our approach and how it all fits together. If you are interested in exploring further, feel free to use our example repository as a base. We’ve left some detailed usage notes in the README with details on how to adapt it for your own use.

If you do try something like this yourself, or you just have questions or comments, don’t hesitate to get in touch.

Aegir5

For those in the Drupal community familiar with the Aegir project, I will say again: the use of Aegir3 here is a stopgap until we can get Aegir5 ready to replace it. In the meantime, we’re very pleased to have worked out a path for existing Aegir3 installations to support Drupal 8 through 11. Stay tuned for upcoming details on this as well as new developments with Aegir5!

The article make targets, Droplets, and Aegir, oh my! first appeared on the Consensus Enterprises blog.

We've disabled blog comments to prevent spam, but if you have questions or comments about this post, get in touch!

We help small teams do big things.