Go to file
2020-07-11 17:12:40 +02:00
group_vars Disable iptables config for CentOS hosts 2020-07-11 17:12:40 +02:00
host_vars Add dist-upgrade in Debian upgrade cmd and rename host template 2020-07-10 20:06:44 +02:00
roles Adapt client_iptables role to support Gentoo 2020-07-11 16:46:19 +02:00
.gitignore Change Munin server config and set vars in host_vars instead of group_vars 2020-07-11 09:38:12 +02:00
inventory_template.yml First commit 2020-05-15 22:22:26 +02:00
playbook_general_deploy.yml Adapt client_iptables role to support Gentoo 2020-07-11 16:46:19 +02:00
playbook_munin_server_deploy.yml Update Munin server role and all related resources 2020-07-11 00:11:21 +02:00
README.md Delete description for unpublished playbooks 2020-05-15 22:29:09 +02:00
requirements.yml Add Certbot and Nginx requirements 2020-07-10 23:59:59 +02:00
ToDoList.md First commit 2020-05-15 22:22:26 +02:00

ansible-base

Introduction

This document describes how to use ansible-base to deploy basic infrastructures.

The main parts of this document are :

  • Ansible "server" (or local machine) preparation
  • Nodes preparation
  • Deployment

Ansible "server" (or local machine) preparation

Update and install Ansible and GIT on your system.

Clone this repo (ssh pubkey needs to be authorized for this repo) and go into the cloned directory :

git clone https://git.grifon.fr/nemo/ansible-base.git
cd ansible-core

Download roles dependecies (currenty not used) :

ansible-galaxy install -r requirements.yml -p ./roles/

Copy the template inventory and edit the new file to add your node(s) in the corresponding function section and os section :

cp inventory_template.yml inventory_yourInventoryName.yml
vi inventory_yourInventoryName.yml

Example with template values :

all:
  vars:
    ansible_user: ansible
    ansible_become: yes
  children:
    function:
      children:
        backup_server:
          hosts:
            myFirstGentooHost.example.org:
	    ...
	...
    os:
      children:
        os_gentoo:
          hosts:
            myFirstGentooHost.example.org:
            mySecondGentooHost.anotherexample.org:
        os_debian:
          hosts:
            myFirstDebianHost.example.org:
            mySecondDebianHost.anotherexample.org:
	    ...
        ...

Note : the node's name needs to be reachable, you can use IP address or FQDN (recommended). WARNING : if you don't want to publish your inventory in the SCM system, add the filename in your .gitignore file (if you're using GIT).

Create a vault file for all nodes using the vault template file and define all values :

cp group_vars/all/vault.yml.template group_vars/all/vault.yml
vim group_vars/all/vault.yml

Encrypt the vault file and check if edit function works. A prompt will ask you a password :

ansible-vault encrypt group_vars/all/vault.yml
ansible-vault edit group_vars/all/vault.yml

Note : if you version your code, don't forget to exclude this vault file of versionning (with .gitignore file if you are using GIT).

According to your needs, you can edit all variables in group_vars directory and subdirectories.

You can also define host-specific variables (reboot/upgrade enable/disabe, cron hours, specific config, ...) in the host_vars directory (host.example.org is a commented example). Don't forget to update .gitignore if you don't want to publish some host vars.

Nodes preparation

On the node, with the root account (or sudo) :

  • Install SSH, sudo and gentoolkit (if Gentoo) OR python-apt (if Debian) OR python-yum (if CentOS) ...
  • Enable and start SSH service.
  • Configure the ansible user :
# Create an ansible user
useradd -m -s /bin/bash ansible

# Add sudoers rights to ansible user
echo "ansible ALL=(ALL:ALL) NOPASSWD: ALL
" >  /etc/sudoers.d/ansible

# Check the sudo configuration
su - ansible
sudo -i # If OK, you're root here
exit
exit

# Add SSH public key of the account used on the Ansible server (or local machine) to the ansible user on the remote node to deploy
su - ansible
mkdir -p .ssh
vi .ssh/authorized_keys # Here add pubkey

Note : this procedure can vary slightly if you're not using a Debian or CentOS node.

On the Ansible server (or local machine), check the SSH connection :

ssh ansible@<YOUR_MANAGED_NODE>
exit

Deployment

From the Ansible server (or your local machine), you can deploy specific playbooks using the following command :

ansible-playbook -i inventory_yourInventoryName.yml <playbook_name> --ask-vault-pass

Notes :

  • --diff option can be added to see the difference applied.
  • --check option can be added to test the deployment without really do any action on the remote node (in some cases it fails even if the deployment will go well).

Playbook deployment :

  • playbook_general_deploy.yml

playbook_general_deploy.yml

This playbook deploys general configuration : tools (useful packages), auto reboot, auto upgrade, sudo users, NTP client and DNS resolvers.

Other playbooks will be written...