Collection of Ansible playbooks used in the Verdnatura server farm
Go to file
Xavi Lleó 588db894a1 Refs #8025 Rol debian-base. All task - Refactor from octal permissions to plain text 2024-10-10 16:12:29 +02:00
collections refs #8025 #7892 roles debian-once & debian-host, sysctl, README, environment 2024-10-01 14:14:51 +02:00
context refs #8025 Include all EE context files 2024-10-03 15:05:48 +02:00
inventories Refs #8025 Rol debian-base. Task install, nrpe, fail2ban fix, refactor handlers 2024-10-10 13:21:32 +02:00
playbooks refs #8025 Merge with main 2024-10-08 09:34:38 +02:00
roles Refs #8025 Rol debian-base. All task - Refactor from octal permissions to plain text 2024-10-10 16:12:29 +02:00
.gitignore refs #8025 Merge with main 2024-10-08 09:34:38 +02:00
.passbolt.tpl.yml refs #8025 Added Passbolt env config template 2024-10-02 20:14:27 +02:00
README.md refs #8025 README install improved, added local inventory 2024-10-04 08:35:07 +02:00
ansible.cfg refs #8025 #7892 roles debian-once & debian-host, sysctl, README, environment 2024-10-01 14:14:51 +02:00
execution-environment.yml refs #8025 Passbolt integration, README improved, ansible vault deleted, EE fixes 2024-10-02 13:20:37 +02:00
requirements.txt refs #8025 Create passbolt password, FQDN fix 2024-10-07 18:39:47 +02:00
run-playbook.sh refs #8025 run-playbook.sh: PYTHONPATH commented 2024-10-02 20:17:47 +02:00

README.md

Verdnatura Ansible playbooks

Collection of Ansible playbooks used in the Verdnatura server farm.

Setup Ansible

Debian

Install Ansible package.

apt install ansible

Python

Create a Python virtual environment.

python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
pip install -r requirements.txt

Before running any Ansible command, activate the Python virtual environment.

source venv/bin/activate

Once you're done, deactivate the virtual environment.

deactivate

All platforms

Install dependencies.

ansible-galaxy collection install -r collections/requirements.yml

Run playbook

Before merging changes into protected branches, playbooks should be tested locally to ensure they work properly. The local inventory can also be used, wich is not uploaded to the repository.

Run playbook on inventory host.

ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml

Run playbook on the fly on a host not declared in the inventory.

ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml

Note the comma at the end of the hostname or IP.

Manage secrets

Secrets can be managed by using Ansible vault or an external keystore, Passbolt is used in this case. It is recommended to use an external keystore to avoid publicly exposing the secrets, even if they are encrypted.

When running playbooks that use any of the keystores mentioned above, the run-playbook.sh script can be used, it is an ovelay over the original ansible-playbook command which injects the necessary parameters.

Passbolt

Add the necessary environment variables to the .passbolt.yml file, the template file .passbolt.tpl.yml is included as a reference:

Ansible vault

To manage Ansible vault place the encryption password into .vault-pass file.

Manage the vault.

ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml

The files used for the vault must only be used locally and under no circumstances can they be uploaded to the repository.

Build execution environment for AWX

Create an image with ansible-builder and upload it to registry.

ansible-builder build --tag awx-ee:vn1

Common playbooks

  • facts.yml: Collect and display facts from a host
  • ping.yml: Check that a host is alive and reachable
  • awx.yml: Create and configure AWX user
  • debian.yml: Setup base Debian server

Documentation