Collection of Ansible playbooks used in the Verdnatura server farm

Go to file

Juan Ferrer 689e4b5eb0 Merge pull request 'Refs #8025 : Refactor-awx - rol Debian-base - Task grub_startup. Add no_log: true to hide hash' (!40 ) from 8025-refactor-awx_Task_grub_startup-added_no_log_true into main Reviewed-on: #40 Reviewed-by: Juan Ferrer <juan@verdnatura.es>		2024-10-25 12:12:03 +00:00
collections	refs #8025 Add ansible.posix collection to enable authorized_key module	2024-10-22 19:01:41 +02:00
context	refs #8025 root witness fixes, requirements fixes	2024-10-20 14:12:46 +02:00
inventories	Initial commit	2024-10-16 17:53:15 +02:00
playbooks	Refs #8025 : Role debian-base. Remove debian-once.yaml	2024-10-17 16:30:42 +02:00
roles	Refs #8025 : Refactor-awx - rol Debian-base - Task grub_startup. Add no_log: true to hide hash	2024-10-25 14:02:03 +02:00
.gitignore	Initial commit	2024-10-16 17:53:15 +02:00
.passbolt.tpl.yml	Initial commit	2024-10-16 17:53:15 +02:00
LICENSE	Initial commit	2024-10-16 17:53:15 +02:00
README.md	refs #8025 List tags command added to README	2024-10-23 14:29:35 +02:00
ansible.cfg	refs #8025 root witness fixes, requirements fixes	2024-10-20 14:12:46 +02:00
execution-environment.yml	Initial commit	2024-10-16 17:53:15 +02:00
requirements.txt	Initial commit	2024-10-16 17:53:15 +02:00
run-playbook.sh	Initial commit	2024-10-16 17:53:15 +02:00

README.md

Verdnatura Ansible playbooks

Collection of Ansible playbooks used in the Verdnatura server farm.

Setup Ansible

Debian

Install Ansible package.

apt install ansible

Python

Create a Python virtual environment.

python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0

Before running any Python dependent command, activate the virtual environment.

source venv/bin/activate

Once you are done, deactivate the virtual environment.

deactivate

All platforms

Install dependencies.

pip install -r requirements.txt
ansible-galaxy collection install -r collections/requirements.yml

Run playbook

Before merging changes into protected branches, playbooks should be tested locally to ensure they work properly. The inventories/local inventory is not uploaded to the repository and can be used for local testing. In any case, it is advisable to use a different repository to store inventories.

Run playbook on inventory host.

ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml

Run playbook on the fly on a host not declared in the inventory.

ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml

Note the comma at the end of the hostname or IP.

List available tags for playbook.

ansible-playbook playbooks/<playbook_name>.yml --list-tags

Manage secrets

Secrets can be managed by using Ansible vault or an external keystore, Passbolt is used in this case. It is recommended to use an external keystore to avoid publicly exposing the secrets, even if they are encrypted.

When running playbooks that use any of the keystores mentioned above, the run-playbook.sh script can be used, it is an ovelay over the original ansible-playbook command which injects the necessary parameters.

Passbolt

Add the necessary environment variables to the .passbolt.yml file, the template file .passbolt.tpl.yml is included as a reference:

https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/

Ansible vault

To manage Ansible vault place the encryption password into .vault-pass file.

Manage the vault.

ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml

The files used for the vault must only be used locally and under no circumstances can they be uploaded to the repository.

Build execution environment for AWX

Create an image with ansible-builder and upload it to registry.

ansible-builder build --tag awx-ee:vn1

Common playbooks

facts.yml: Collect and display facts from a host
ping.yml: Check that a host is alive and reachable
awx.yml: Create and configure AWX user
debian.yml: Setup base Debian server