stratiform is an Ansible playbook for provisioning, configuring, and managing DigitalOcean droplets.

• 1. Setup
  • 1.1. Security
  • 1.2. Usability
• 2. Usage
  • 2.1. Hosts
  • 2.2. Group Vars
  • 2.3. Special Variables
  • 2.4. Images, Sizes, and Regions
    • 2.4.1. Sizes
    • 2.4.2. Droplet Images
• 3. Playbook

This playbook requires the following ansible-galaxy roles and collections:

• community.digitalocean
• community.general

• oefenweb.fail2ban

To install these dependencies, run the following commands from the root folder of this repository:

ansible-galaxy collection install -r collection-requirements.yml
ansible-galaxy install -r role-requirements.yml

For further documentation on the these collections and roles, see the official docs on Ansible Galaxy

• community.digitalocean
• community.general
• oefenweb.fail2ban

In addition to basic droplet provisioning, some post-provisioning is also performed in order to make the environment a little more user-friendly and secure, by installing the following:

• Non-Root SSH access (DigitalOcean Droplets use root by default)
• Mandatory Access Controls (via AppArmor/SELinux)
• UFW (Ubuntu Only)
• Fail2Ban

• bandwhich
• Homebrew for Linux, AKA Linuxbrew
• bat
• duf
• dust
• exa
• fd
• jq
• Oh-My-Vim
• procs
• ripgrep
• sd
• tldr
• ZSH (w/Antigen)

NOTE: If you would like to opt NOT to install these extra tools, add 'install_extras': no to the environment variables dictionary in the ansible-playbook command listed below, or alternatively, add install_extras: no to ./group_vars/all before running the playbook.

Hosts in this playbook are not static, and are registered by the do_droplet role into the dynamic inventory.

./group_vars/all is the main configuration source for this playbook. Any variables you need to update can be found there. Please do not update or change the role variables or edit the tasks or site.yml directly.

In order to provision a new droplet, you must provide your DigitalOcean OAuth/API Token, along with at least one SSH key fingerprint from your DigitalOcean account.

These values should never be checked in as code, thus the best way to pass them is at runtime as a JSON object, with the SSH key fingerprints passed as a list element. The exact syntax can be found below.

DigitalOcean's API refers to their various droplet sizes, images, and regions using slugs. Valid droplet size, region, and image slugs are as follows:

NOTE: This is only a list of slugs for standard images. For a list of One-Click Application images, consult the official API docs, or use the following doctl command:

doctl compute image list-application

Currently this playbook only fully supports Ubuntu-based images.

To run the playbook and set up droplets, run the following command:

ansible-playbook -e "{'do_api_key':'<your_digitalocean_api_key>','do_ssh_key_fingerprints':['00:de:ad:be:ef:88:ab:cd:ef:12:34:56:78:00:aa:bb','...']}" site.yml

You can also use a Vault by placing the following YAML data into ./group_vars/vault.yml along with an accompanying vault password in ./.vaultpasswd:

do_api_key: '<your_digitalocean_api_key>'
do_ssh_key_fingerprints: ['00:de:ad:be:ef:88:ab:cd:ef:12:34:56:78:00:aa:bb','...']

NOTE: To get your SSH Key Fingerprint, run the following command:

ssh-keygen -E md5 -lf ~/.ssh/id_rsa | cut -d' ' -f2 | sed s/MD5\://g