# Verdnatura Ansible playbooks Collection of Ansible playbooks used in the Verdnatura server farm. ## Setup Ansible ### Debian Install Ansible package. ``` apt install ansible ``` ### Python Create a Python virtual environment. ``` python3 -m venv venv source venv/bin/activate pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0 ``` Before running any Python dependent command, activate the virtual environment. ``` source venv/bin/activate ``` Once you are done, deactivate the virtual environment. ``` deactivate ``` ### All platforms Install dependencies. ``` pip install -r requirements.txt ansible-galaxy collection install -r collections/requirements.yml ``` ## Run playbook Before merging changes into protected branches, playbooks should be tested locally to ensure they work properly. The *inventories/local* inventory is not uploaded to the repository and can be used for local testing. In any case, it is advisable to use a different repository to store inventories. Run playbook on inventory host. ``` ansible-playbook -i inventories/local -l [-t tag1,tag2...] playbooks/ping.yml ``` Run playbook on the fly on a host not declared in the inventory. ``` ansible-playbook -i , playbooks/ping.yml ``` *Note the comma at the end of the hostname or IP.* ## Manage secrets Secrets can be managed by using Ansible vault or an external keystore, Passbolt is used in this case. It is recommended to use an external keystore to avoid publicly exposing the secrets, even if they are encrypted. When running playbooks that use any of the keystores mentioned above, the *run-playbook.sh* script can be used, it is an ovelay over the original *ansible-playbook* command which injects the necessary parameters. ### Passbolt Add the necessary environment variables to the *.passbolt.yml* file, the template file *.passbolt.tpl.yml* is included as a reference: * https://galaxy.ansible.com/ui/repo/published/anatomicjc/passbolt/docs/ ### Ansible vault To manage Ansible vault place the encryption password into *.vault-pass* file. Manage the vault. ``` ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml ``` > The files used for the vault must only be used locally and > under **no** circumstances can they be uploaded to the repository. ## Build execution environment for AWX Create an image with *ansible-builder* and upload it to registry. ``` ansible-builder build --tag awx-ee:vn1 ``` ## Common playbooks * **facts.yml**: Collect and display facts from a host * **ping.yml**: Check that a host is alive and reachable * **awx.yml**: Create and configure AWX user * **debian.yml**: Setup base Debian server ## Documentation * https://docs.ansible.com/ansible/latest/reference_appendices/config.html * https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html * https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html * https://ansible.readthedocs.io/projects/builder/en/latest/ * https://www.ansible.com/blog/introduction-to-ansible-builder/ * https://github.com/ansible/awx-ee/ * https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt