Automatically setting up a secure connection between an NGINX server and a client using Ansible and Terraform
I ran a simple NGINX server with a Wireguard tunnel between the server and the client, and here’s a tutorial on how to do it. The Ansible playbook and Terraform scripts are open-sourced and can be reused to deploy other services with the Syntropy network, such as creation of the Syntropy network, deployment of NGINX server and orchestration of the GCP and Linode instances.
Showcase video
For people who like to visualize the steps, this is a good starting point (however it may not include all of the details).
How to get started?
Firstly, you will have to clone the repository that contains all of the examples (including this one). The repository can be found here. The directory you will need to continue is nginx-and-curl-client-terraform-ansible.
Prerequisites to get started
The GitHub README mentions a few prerequisites that you will need in order to try playing with this example:
- An active Syntropy Platform account and it’s agent token (tutorial here)
- A Linode Personal Access Token (if you know how to — you can change the Terraform files to change the cloud providers)
- A Google Cloud Provider service credential key
- Terraform and Ansible≥2.10 installed on your bastion host
There are two main steps to set up this example:
- Automatically setup the infrastructure using Terraform
- Provisioning the hosts with Syntropy Agent, NGINX and the Curl client using Ansible playbooks
Provisioning the infrastructure
In order to use Terraform with GCP and Linode you will first have to setup the Terraform variables. To make this process easier, I’ve included an example variables file in infra/terraform.tfvars.example file. After you’ve done this you will have to initialize the Terraform backend using terraform init . When this is done, all you will have to do is run terraform apply , confirm the provisioning plan and Terraform will handle everything else.
The Terraform configuration will automatically:
- generate a root password for the Linode instance
- create a g6-standard-1 instance on Linode and automatically provision an SSH key
- create an e2-small instance on GCP and also automatically provision an SSH key
- create an Ansible inventory file for later use
To confirm the infrastructure, you can go to the cloud consoles and everything should look like this (GCP and Linode respectively):
Provisioning the software
After the servers are up and running, Ansible will handle everything else:
- install the EPEL repo
- install the Wireguard kernel module and its tools
- install Docker and create a Docker network
- deploy the Syntropy agent on both nodes
- deploy the NGINX Docker image
- finally, create the Syntropy network between the NGINX and Curl nodes
Just like with Terraform, you are going to need to fill in Ansible variables. There is an example file in ansible/vars/main.yml.example . Like mentioned before, you are going to need to create a Syntropy Agent token in the Platform.
To complete the setup, just run ansible-playbook main.yml -i inventory.yml in the ansible directory. Ansible is going to run through those steps mentioned before and complete the setup for you.
After that, you can verify on the Syntropy Platform that your created network looks like the one in the image.
Testing out the setup
After everything is done, you can connect to the Curl node using SSH with the command ssh curl@<IP_IN_INVENTORY.YML> .
You need to note down the internal ip of the NGINX service which in my case is 10.44.0.2 . After that, you can test the NGINX server connection by running: curl http://10.44.0.2 and if everything is ok, then it should output:
[curl@curl-client ~]$ curl http://10.44.0.2
<html>
<head>
<title>Syntropy Curl -> Nginx</title>
</head>
<body>
<h1>Hello from Syntropy!</h1>
</body>
</html>