Discourse SysAdmin Resources

pacharanero · July 12, 2019, 2:29pm

Some resources on hardening Ubuntu servers for Discourse, updating, SSH tools etc

Hardening Ubuntu Servers

https://www.lifewire.com/harden-ubuntu-server-security-4178243

Ansible Playbook for updating Discourses

https://github.com/pacharanero/ansible-discourse-updater

SSH tools & tips

MoSH - UDP-based client/server terminal application similar to SSH, much more tolerant of poor connections, dropouts, mobile data, etc
ssh-import-id

angus · September 2, 2019, 11:23pm

Cool! What do you you see as the advantages of using the ansible-discourse-updater? I’m wondering whether and how we can integrate automation like this into the update service @Eli has been working on.

@Eli Have we got a public topic for that yet?

pacharanero · September 3, 2019, 9:14am

Having a clear recipe for what should happen at an update, which is always followed by Ansible, is one of the main advantages. There’s not forgetting to do some part of it or getting distracted mid-task. Bear in mind that not everyone agreed with what I have in my ansible playbook here, when I posted it on Meta. Feedback very welcome and a safe, reproducible updater tool that we can all use and trust would be a nice output.
Updating multiple servers from a single command. When you have 9 Discourses to upgrade via the command line, it’s nice to be able to set up Ansible and let it do the work of logging in, running the script, and reporting back to you.

chrisc · October 13, 2019, 9:59am

I’ve been using Ansible to update Discourse servers and it is mostly good but as soon as there is an issue you need to revert to doing it manually, these are the tasks I use (the servers have a discourse user):

---
- name: Docker system prune to free up space
  command: docker image prune -a --force --filter "until=240h"
  args:
    chdir: /var/discourse
  become: true
  become_user: discourse

- name: Git pull
  command: git pull
  args:
    chdir: /var/discourse
  become: true
  become_user: discourse
  register: servers_discourse_git_pull

- name: Rebuild app
  command: ./launcher rebuild app
  args:
    chdir: /var/discourse
  become: true
  become_user: discourse
  when: servers_discourse_git_pull.changed
...

For Debian / Ubuntu updates I use this role and other Discourse specific Ansible code is in this repo:

https://git.coop/webarch/discourse

This was written a couple of years ago when I was first starting to use Ansible and needs a major re-write / refactoring, the most interesting part of it is the Postfix config for using the host to send and receive SMTP email and I do have some work from a client next week to add DKIM support to this using opendkim so I should get a change to update the rest of the repo at the same time.

PS I also use mosh and ssh-import-id .