vn-ansible/README.md

100 lines
2.9 KiB
Markdown
Raw Normal View History

# Verdnatura Ansible playbooks
Collection of Ansible playbooks used in the Verdnatura server farm.
## Setup Ansible
Install Ansible on Debian.
```
apt install ansible
```
Create Python virtual environment.
```
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
pip install -r requirements.txt
deactivate
```
2024-09-30 12:25:35 +00:00
Install dependencies.
```
ansible-galaxy collection install -r collections/requirements.yml
```
Before running any Ansible command, activate the Python virtual environment.
2024-09-30 12:25:35 +00:00
```
source venv/bin/activate
2024-09-30 12:25:35 +00:00
```
## Run playbook
Before merging changes into protected branches, playbooks should be tested
locally to ensure they work properly.
Run playbook on inventory host.
```
ansible-playbook -i inventories/lab -l <host> [-t tag1,tag2...] playbooks/ping.yml
```
Run playbook on the fly on a host not declared in the inventory.
```
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
```
*Note the comma at the end of the hostname or IP.*
## Manage secrets
Secrets can be managed by using Ansible vault or an external keystore, Passbolt
is used in this case. It is recommended to use an external keystore to avoid
publicly exposing the secrets, even if they are encrypted.
When running playbooks that use any of the keystores mentioned above, the
*run-playbook.sh* script can be used, it is an ovelay over the original
*ansible-playbook* command which injects the necessary parameters.
### Passbolt
Add the necessary environment variables to the *.passbolt.yml* file, the
template file *.passbolt.tpl.yml* is included as a reference:
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
### Ansible vault
To manage Ansible vault place the encryption password into *.vault-pass* file.
Manage the vault.
```
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
```
> The files used for the vault must only be used locally and
> under **no** circumstances can they be uploaded to the repository.
2024-09-27 18:40:10 +00:00
## Build execution environment for AWX
Create an image with *ansible-builder* and upload it to registry.
```
ansible-builder build --tag awx-ee:vn1
```
2024-09-24 10:28:52 +00:00
## Common playbooks
2024-09-25 21:31:56 +00:00
* **facts.yml**: Collect and display facts from a host
2024-09-26 12:57:01 +00:00
* **ping.yml**: Check that a host is alive and reachable
2024-09-25 21:31:56 +00:00
* **awx.yml**: Create and configure AWX user
* **debian.yml**: Setup base Debian server
## Documentation
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
* https://ansible.readthedocs.io/projects/builder/en/latest/
* https://www.ansible.com/blog/introduction-to-ansible-builder/
* https://github.com/ansible/awx-ee/tree/devel
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt