Xavi Lleó cae5ec6c59 | ||
---|---|---|
collections | ||
context | ||
inventories | ||
playbooks | ||
roles | ||
.gitignore | ||
.passbolt.tpl.yml | ||
LICENSE | ||
README.md | ||
ansible.cfg | ||
execution-environment.yml | ||
requirements.txt | ||
run-playbook.sh |
README.md
Verdnatura Ansible playbooks
Collection of Ansible playbooks used in the Verdnatura server farm.
Setup Ansible
Debian
Install Ansible package.
apt install ansible
Python
Create a Python virtual environment.
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip ansible==10.1.0 ansible-builder==3.1.0
Before running any Python dependent command, activate the virtual environment.
source venv/bin/activate
Once you are done, deactivate the virtual environment.
deactivate
All platforms
Install dependencies.
pip install -r requirements.txt
ansible-galaxy collection install -r collections/requirements.yml
Run playbook
Before merging changes into protected branches, playbooks should be tested locally to ensure they work properly. The inventories/local inventory is not uploaded to the repository and can be used for local testing. In any case, it is advisable to use a different repository to store inventories.
Run playbook on inventory host.
ansible-playbook -i inventories/local -l <host> [-t tag1,tag2...] playbooks/ping.yml
Run playbook on the fly on a host not declared in the inventory.
ansible-playbook -i <ip_or_hostname>, playbooks/ping.yml
Note the comma at the end of the hostname or IP.
List available tags for playbook.
ansible-playbook playbooks/<playbook_name>.yml --list-tags
Manage secrets
Secrets can be managed by using Ansible vault or an external keystore, Passbolt is used in this case. It is recommended to use an external keystore to avoid publicly exposing the secrets, even if they are encrypted.
When running playbooks that use any of the keystores mentioned above, the run-playbook.sh script can be used, it is an ovelay over the original ansible-playbook command which injects the necessary parameters.
Passbolt
Add the necessary environment variables to the .passbolt.yml file, the template file .passbolt.tpl.yml is included as a reference:
Ansible vault
To manage Ansible vault place the encryption password into .vault-pass file.
Manage the vault.
ansible-vault {view,edit,create} --vault-pass-file .vault-pass .vault.yml
The files used for the vault must only be used locally and under no circumstances can they be uploaded to the repository.
Build execution environment for AWX
Create an image with ansible-builder and upload it to registry.
ansible-builder build --tag awx-ee:vn1
Common playbooks
- facts.yml: Collect and display facts from a host
- ping.yml: Check that a host is alive and reachable
- awx.yml: Create and configure AWX user
- debian.yml: Setup base Debian server
Documentation
- https://docs.ansible.com/ansible/latest/reference_appendices/config.html
- https://docs.ansible.com/ansible/latest/collections/ansible/builtin/gather_facts_module.html
- https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_vars_facts.html
- https://ansible.readthedocs.io/projects/builder/en/latest/
- https://www.ansible.com/blog/introduction-to-ansible-builder/
- https://github.com/ansible/awx-ee/
- https://www.passbolt.com/blog/managing-secrets-in-ansible-using-passbolt