DigitalOcean Ansible Guide

Ansible playbooks breakdown#

For modules used from Ansible-Galaxy / GitHub see the requirements file.

Ansible within this template does the following:


  1. Loads encrypted Variables from crypt_vars/all.yml
  2. Loads tf_vars from Terraform via tf_vars/tf_vars.yml
  3. Runs the Apt role to install a handful of required/useful packages
  4. Sets up 3 users: root, devops, and deploy
  5. Triggers the strapi_database.yml playbook

User definitions are as such (They all have no password set, aka disabled password):

  • Root user => initial connection for main.yml, using defined SSH key in Terraform
  • Devops user => "Admin" sudo user you should regularly use to connect or allow team members to connect to (adjust to fit your needs) and also used for the database/strapi server setup (stop using root people)
  • Deploy user => Strapi's service user, what Strapi runs as

Deploy user does not have sudo perms, this is intended!

Apt packages that are installed on both systems are:

  • software-properties-common
  • build-essential
  • net-tools
  • zip
  • unzip

It will also automatically apply software updates using the dist upgrade and automatically remove packages that are no longer needed.


  1. Loads encrypted Variables from crypt_vars/database.yml
  2. Loads tf_vars from Terraform via tf_vars/tf_vars.yml
  3. Installs MariaDB v10.3
  4. Creates a database for Strapi
  5. Creates a user for Strapi
  6. Sets user permissions on the database
  7. Triggers the strapi_server.yml playbook

Database name and user are based on the labels you set for the DigitalOcean instances in Terraform, thus the defaults are:

  • DB Name: my-strapi-db
  • DB User: my-strapi-admin

The password is stored in the crypt_vars/database.yml and this file should be encrypted (see instructions below on dealing with Ansible-Vault)


  1. Loads encrypted Variables from crypt_vars/strapi.yml
  2. Loads encrypted Variables from crypt_vars/database.yml
  3. Loads tf_vars from Terraform via tf_vars/tf_vars.yml
  4. Installs Node via the version defined in group_vars/strapi.yml (default is v14)
  5. Installs yarn
  6. Installs the client (way better than certbot)
  7. Requests Let's Encrypt SSL Cert using Cloudflare DNS-01 Verification
  8. Installs Nginx, configures upstream, deploys configs for HTTP => HTTPs
  9. Creates the deploy directory and various child directories /srv/deploy/*
  10. Installs PM2 globally
  11. Sets up PM2 to be loaded on reboot and start previous services
  12. Triggers the strapi_dply.yml playbook


First off don't ask why it's named this way, the Ansible linter I use throws errors if I use deploy and I'm lazy and don't feel like fixing it. ¯\_(ツ)_/¯

  1. Loads encrypted Variables from crypt_vars/strapi.yml
  2. Loads encrypted Variables from crypt_vars/database.yml
  3. Loads tf_vars from Terraform via tf_vars/tf_vars.yml
  4. Uses the ansistrano deployment system to version deployments and make it easier to rollback if failures happen.
  5. Pulls project from Git source
  6. Pushes templated .env and ecosystem.config.js for Strapi and PM2
  7. Installs node_modules (using yarn, fuck npm)
  8. Builds the Strapi Admin in production mode (Stop deploying dev servers)
  9. Starts/Reloads Strapi application

Eventually I want to add checking to ensure the Strapi project started correctly and do an automated DB backup. Should failures occur then it would run the rollback playbook and restore the DB from the backup.



This feature is not developed yet

Ansible Requirements#

First off, if you are not familiar with Ansible-Vault what are you doing with your life? Go do some research. There is a default Ansible config that sets some sane defaults located here. I suggest you read through it to understand how it's setup.

This template uses various roles from Ansible-Galaxy and misc GitHub repos, I suggest you look at the requirements file and review their documentation if you plan to make changes. There is also a script to automatically install them.

Next you need to make a vault_password file at the ansible folder root to encrypt/decrypt the crypt_vars/* files. See the example folder and it's for some templates and a sample encrypted file. There is a password generation script located here for my fellow lazy folks. Keep that password safe and handy, if you lose it, back to square one on configuring shit

Ansible Instructions#


This section is still a WIP

Rough breakdown for those that can't wait:

  • run the ./
  • create your vault_password file
  • configure your vars
  • run the ./ main.yml