To make a connection to the servers, ssh needs to be configured on the machine by executing the following command:
$ ssh-keygen -f jiskefet
# Press ENTER twice to set it as default without a passphrase.
Navigate to the .ssh folder:
cd ~/.ssh
After that, change the ssh config by executing the following command:
$ vi config
and adding the following lines into the document:
########## Jiskefet ##########
Host jiskefet-api
HostName IP_ADDRESS_HERE
User root
Port 22
IdentityFile ~/.ssh/jiskefet
Host jiskefet-db
HostName IP_ADDRESS_HERE
User root
Port 22
IdentityFile ~/.ssh/jiskefet
Do NOT forget to change the IP addresses in the config file.
Execute the following commands to copy the ssh keys to the servers:
$ ssh-copy-id -i jiskefet.pub jiskefet-api
$ ssh-copy-id -i jiskefet.pub jiskefet-db
To test the connections the following command can be executed:
$ ansible -m ping all
If everything went well the following output should show:
jiskefet-db | SUCCESS => {
"changed": false,
"ping": "pong"
}
jiskefet-api | SUCCESS => {
"changed": false,
"ping": "pong"
}
There are several ways connecting to the servers defined in the hosts
file.
The files in this folder will apply to the host groups that are defined in the hosts
file.
The hosts
file currently contains two groups:
[webservers]
[dbservers]
Each of the host groups has it's own folder in the groups_var
folder. The folder would look as follow:
group_vars
|----all
| |-- vars.yml
| |-- vault.yml
|
|----dbservers
| |-- vars.yml
| |-- vault.yml
|
|----webservers
|-- vars.yml
|-- vault.yml
If all the host groups are using the same variables, please update the file at group_vars/all/vars.yml
and group_vars/all/vault.yml
. This file will apply to all the hosts. If the variables are different between the host groups, please update the other files at groups_vars/*/vars.yml
and group_vars/*/vault.yml
.
If you want to have granular control over all the servers that are in the hosts
file, you can add server_name
folder to the host_vars
folder. This folder follows the same principle as the group_vars
section above.
This ansible-playbook has a built in step by step host_vars
with host
creation when running ansible-playbook site.yml
.
host_vars
|----webserver1
| |-- vars.yml
| |-- vault.yml
|
|----webserver2
| |-- vars.yml
| |-- vault.yml
|
|----databaseserver1
| |-- vars.yml
| |-- vault.yml
|
|----databaseserver2
|-- vars.yml
|-- vault.yml
It is possible to set the ssh parameters in the host file as displayed below. The drawback is that the credentials will be exposed. If possible, please refrain from using this setup.
[jiskefet-frontend]
jiskefet-api ansible=your_user_here ansible_ssh_pass=your_password_here
[jiskefet-backend]
jiskefet-db ansible=your_user_here ansible_ssh_pass=your_password_here
A best practice approach is to define all the variables, including any sensitive ones in the vars.yml
. The next is to copy all the sensitive variables such as passwords and other secrets over to the vault.yml
and prefix the variables with vault_
. Now all the variables in vars.yml
that contains sensitive information needs to point to the matching vault_
variable using jinja2 syntax. An example can be seen below.
# group_vars/all/vars.yml
ansible_user: your_user_here
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"
# group_vars/all/vault.yml
vault_ansible_ssh_pass: your_password_here
The last step is to encrypt the vault.yml
with the following command:
$ ansible-vault encrypt path/group_vars/all/vault.yml
A prompt will ask you to set a new vault password to encrypt and decrypt the vault. For more information please go to the official documentation from Ansible here.
To edit the encrypted files, please execute the following command:
$ ansible-vault edit path/group_vars/all/vault.yml
To remove encryption from the vault files, execute the following command:
$ ansible-vault decrypt path/group_vars/all/vault.yml
There are several options to run the playbook with variables encrypted by ansible-vault. The current implementation uses ansible.cfg
to set the path to the vault password file.
# If set configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
vault_password_file = /path/to/vault_pass
If you want ansible to prompt the user for input, pass the --ask-vault-pass
flag to the console.
$ ansible-playbook --ask-vault-pass site.yml
For other options please go to the official documentation from Ansible here.