vn-ansible/README.md

112 lines
3.1 KiB
Markdown
Raw Normal View History

2024-10-16 15:53:15 +00:00
# Verdnatura Ansible playbooks
Collection of Ansible playbooks used in the Verdnatura server farm.
## Setup Ansible
### Debian
Install Ansible package.
```
apt install ansible
```
### Python
Create a Python virtual environment.
```
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
```
Before running any Python dependent command, activate the virtual environment.
```
source venv/bin/activate
```
Once you are done, deactivate the virtual environment.
```
deactivate
```
### All platforms
Install dependencies.
```
pip install -r requirements.txt
ansible-galaxy collection install -r collections/requirements.yml
```
## Run playbook
Before merging changes into protected branches, playbooks should be tested
locally to ensure they work properly. The *inventories/local* inventory is not
uploaded to the repository and can be used for local testing. In any case, it
is advisable to use a different repository to store inventories.
Run playbook on inventory host.
```
ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml
```
Run playbook on the fly on a host not declared in the inventory.
```
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
```
*Note the comma at the end of the hostname or IP.*
## Manage secrets
Secrets can be managed by using Ansible vault or an external keystore, Passbolt
is used in this case. It is recommended to use an external keystore to avoid
publicly exposing the secrets, even if they are encrypted.
When running playbooks that use any of the keystores mentioned above, the
*run-playbook.sh* script can be used, it is an ovelay over the original
*ansible-playbook* command which injects the necessary parameters.
### Passbolt
Add the necessary environment variables to the *.passbolt.yml* file, the
template file *.passbolt.tpl.yml* is included as a reference:
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
### Ansible vault
To manage Ansible vault place the encryption password into *.vault-pass* file.
Manage the vault.
```
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
```
> The files used for the vault must only be used locally and
> under **no** circumstances can they be uploaded to the repository.
## Build execution environment for AWX
Create an image with *ansible-builder* and upload it to registry.
```
ansible-builder build --tag awx-ee:vn1
```
## Common playbooks
* **facts.yml**: Collect and display facts from a host
* **ping.yml**: Check that a host is alive and reachable
* **awx.yml**: Create and configure AWX user
* **debian.yml**: Setup base Debian server
## Documentation
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
* https://ansible.readthedocs.io/projects/builder/en/latest/
* https://www.ansible.com/blog/introduction-to-ansible-builder/
* https://github.com/ansible/awx-ee/
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt