How I use ansible
This is a quick summary of how I use Ansible to setup my environment. Bare in mind that I’m not an expert or anything. I’m just showing you how I user it to make my life a little saner.
I have 3 main classes of playbooks that I use.
- Setup Server
- Setup Service
- Setup Workstation
Setup Server
This is one of my bigger ansible playbook. It does a lot of little things but it does them to all the systems in my environment. So when I first spin up a new VM, I start by assigning it a static IP (and maybe DNS entry) in my DHCP server, then I add it’s IP to my inventory file an re-run the playbook.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
tree -L 2 --dirsfirst
.
├── ans-venv
│ └── (this is just the folder made with python -m venv ans-venv)
├── files
│ ├── id_ed25519_ansible
│ ├── id_ed25519_ansible.pub
│ ├── inventory.yml
│ ├── logs
│ └── passwords.yml
├── main
│ ├── defaults
│ ├── files
│ │ └── ssh
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── base.yml
│ │ ├── main.yml
│ │ ├── ssh.yml
│ │ ├── ufw.yml
│ │ ├── updates.yml
│ │ └── wazuh.yml
│ ├── tests
│ ├── vars
│ └── README.md
├── vms
│ ├── defaults
│ ├── handlers
│ ├── meta
│ ├── tasks
│ │ └── (this is just for qemu-agents)
│ ├── tests
│ ├── vars
│ └── README.md
├── LICENSE
├── README.md
├── ansible.cfg
└── main.yml
The use of this playbook is simple. Run ansible-playbook main.yml from the command line with the option to add --tags to the end. The optional tags are ping, updates, base and then a series of tags to only run a task.
ping is pretty simple. It just runs gather_facts on all the machines in the inventory file to validate everything can be connected to.
updates is also simple in that it just runs a simple playbook to update all the servers. Right now I only run debian and ubuntu systems.
1
2
3
4
5
6
7
- name: Updates
become: true
ansible.builtin.apt:
update_cache: yes
upgrade: yes
autoremove: yes
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
base does a couple easy things.
- It makes sure
danis in thesudogroup. - Sets the timezone to
America/Denver(If I ever setup servers outside of my homelab, I would set that to UTC) - Installs a couple niceties like
tmux,vim, andtree. - It also installs and sets up some packages like
unattended-upgradesandavahi-daemon. - Creates a cronjob to run
ansible-pull -U https://gitea.oconnordaniel.com/dan/ansible-pull.gitwhich just runs updates and reboots all the servers once a week.
ssh Sets up all servers with the authorized_keys files to accept a couple keys, as well as setting up the sshd_config file to disable root and password login.
ufw Sets up all server to enable Uncomplicated FireWall on all servers. Then opens up 22 but ONLY from the trusted_net subnets.
Note that that’s all it does. That means if I need to open 80 for a web server or 8006 to get to the proxmox web UI, I need to run a different playbook for that service.
wazuh, zabbix, nagios, crowdsec. are all plays that I’ve started to setup the client or agent on the servers. This doesn’t install the server, these all get their own playbook.
VMs
VMs get a special sub playbook to setup the qemu-guest-agent on the VM.
Setup Workstation
I’ll save Workstations for another post. But there are two playbooks I use to setup a linux desktop with all it’s apps and configs, and a MacOS playbook for the same thing.
Setup Service
As mentioned earlier. These get their own playbook. The general flow is.
- Spin up a VM.
- Read though the docs and setup the service set by step.
- Make sure I’m even happy with the system.
- Tear it all down and then goes though the docs and setup step by step by making a series of Ansible tasks to do each step.
This means that I have a single playbook that sets up something like a web server or my ProxMox hosts that just focuses on that. It’s THAT’S playbook’s job to setup whatever ports or services or tools are needed for that system to work.
The Code
I’ve stripped out some of the less publicly appropriate code and pushed a copy of this playbook to My GitHub repo