# Verdnatura Ansible playbooks

Collection of Ansible playbooks used in the Verdnatura server farm.

## Setup Ansible

### Debian

Install Ansible package.
```
apt install ansible
```

### Python

Create a Python virtual environment.
```
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
pip install -r requirements.txt
```

Before running any Ansible command, activate the Python virtual environment.
```
source venv/bin/activate
```

Once you're done, deactivate the virtual environment.
```
deactivate
```

### All platforms

Install dependencies.
```
ansible-galaxy collection install -r collections/requirements.yml
```

## Run playbook

Before merging changes into protected branches, playbooks should be tested 
locally to ensure they work properly. The *local* inventory can also be used, 
wich is not uploaded to the repository.

Run playbook on inventory host.
```
ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml
```

Run playbook on the fly on a host not declared in the inventory.
```
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
```

*Note the comma at the end of the hostname or IP.*

## Manage secrets

Secrets can be managed by using Ansible vault or an external keystore, Passbolt 
is used in this case. It is recommended to use an external keystore to avoid 
publicly exposing the secrets, even if they are encrypted.

When running playbooks that use any of the keystores mentioned above, the 
*run-playbook.sh* script can be used, it is an ovelay over the original 
*ansible-playbook* command which injects the necessary parameters.

### Passbolt

Add the necessary environment variables to the *.passbolt.yml* file, the 
template file *.passbolt.tpl.yml* is included as a reference:

* https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/

### Ansible vault

To manage Ansible vault place the encryption password into *.vault-pass* file.

Manage the vault.
```
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
```

> The files used for the vault must only be used locally and 
> under **no** circumstances can they be uploaded to the repository.

## Build execution environment for AWX

Create an image with *ansible-builder* and upload it to registry.
```
ansible-builder build --tag awx-ee:vn1
```

## Common playbooks

* **facts.yml**: Collect and display facts from a host
* **ping.yml**: Check that a host is alive and reachable
* **awx.yml**: Create and configure AWX user
* **debian.yml**: Setup base Debian server

## Documentation

* https://docs.ansible.com/ansible/latest/reference_appendices/config.html
* https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
* https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
* https://ansible.readthedocs.io/projects/builder/en/latest/
* https://www.ansible.com/blog/introduction-to-ansible-builder/
* https://github.com/ansible/awx-ee/
* https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt