112 lines
3.1 KiB
Markdown
112 lines
3.1 KiB
Markdown
|
# Verdnatura Ansible playbooks
|
||
|
|
||
|
Collection of Ansible playbooks used in the Verdnatura server farm.
|
||
|
|
||
|
## Setup Ansible
|
||
|
|
||
|
### Debian
|
||
|
|
||
|
Install Ansible package.
|
||
|
```
|
||
|
apt install ansible
|
||
|
```
|
||
|
|
||
|
### Python
|
||
|
|
||
|
Create a Python virtual environment.
|
||
|
```
|
||
|
python3 -m venv venv
|
||
|
source venv/bin/activate
|
||
|
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
|
||
|
```
|
||
|
|
||
|
Before running any Python dependent command, activate the virtual environment.
|
||
|
```
|
||
|
source venv/bin/activate
|
||
|
```
|
||
|
|
||
|
Once you are done, deactivate the virtual environment.
|
||
|
```
|
||
|
deactivate
|
||
|
```
|
||
|
|
||
|
### All platforms
|
||
|
|
||
|
Install dependencies.
|
||
|
```
|
||
|
pip install -r requirements.txt
|
||
|
ansible-galaxy collection install -r collections/requirements.yml
|
||
|
```
|
||
|
|
||
|
## Run playbook
|
||
|
|
||
|
Before merging changes into protected branches, playbooks should be tested
|
||
|
locally to ensure they work properly. The *inventories/local* inventory is not
|
||
|
uploaded to the repository and can be used for local testing. In any case, it
|
||
|
is advisable to use a different repository to store inventories.
|
||
|
|
||
|
Run playbook on inventory host.
|
||
|
```
|
||
|
ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml
|
||
|
```
|
||
|
|
||
|
Run playbook on the fly on a host not declared in the inventory.
|
||
|
```
|
||
|
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
|
||
|
```
|
||
|
|
||
|
*Note the comma at the end of the hostname or IP.*
|
||
|
|
||
|
## Manage secrets
|
||
|
|
||
|
Secrets can be managed by using Ansible vault or an external keystore, Passbolt
|
||
|
is used in this case. It is recommended to use an external keystore to avoid
|
||
|
publicly exposing the secrets, even if they are encrypted.
|
||
|
|
||
|
When running playbooks that use any of the keystores mentioned above, the
|
||
|
*run-playbook.sh* script can be used, it is an ovelay over the original
|
||
|
*ansible-playbook* command which injects the necessary parameters.
|
||
|
|
||
|
### Passbolt
|
||
|
|
||
|
Add the necessary environment variables to the *.passbolt.yml* file, the
|
||
|
template file *.passbolt.tpl.yml* is included as a reference:
|
||
|
|
||
|
* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/
|
||
|
|
||
|
### Ansible vault
|
||
|
|
||
|
To manage Ansible vault place the encryption password into *.vault-pass* file.
|
||
|
|
||
|
Manage the vault.
|
||
|
```
|
||
|
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
|
||
|
```
|
||
|
|
||
|
> The files used for the vault must only be used locally and
|
||
|
> under **no** circumstances can they be uploaded to the repository.
|
||
|
|
||
|
## Build execution environment for AWX
|
||
|
|
||
|
Create an image with *ansible-builder* and upload it to registry.
|
||
|
```
|
||
|
ansible-builder build --tag awx-ee:vn1
|
||
|
```
|
||
|
|
||
|
## Common playbooks
|
||
|
|
||
|
* **facts.yml**: Collect and display facts from a host
|
||
|
* **ping.yml**: Check that a host is alive and reachable
|
||
|
* **awx.yml**: Create and configure AWX user
|
||
|
* **debian.yml**: Setup base Debian server
|
||
|
|
||
|
## Documentation
|
||
|
|
||
|
* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
|
||
|
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
|
||
|
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
|
||
|
* https://ansible.readthedocs.io/projects/builder/en/latest/
|
||
|
* https://www.ansible.com/blog/introduction-to-ansible-builder/
|
||
|
* https://github.com/ansible/awx-ee/
|
||
|
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt
|