On a fresh installed system, for Debian system:
sudo apt update
sudo apt upgrade -yfirst install Ansible (more informations: Ansible installation doc:
sudo apt install software-properties-common # Install the software-properties-common package
sudo apt-add-repository ppa:ansible/ansible # Install ansible personal package archive
# Install ansible
sudo apt update
sudo apt install ansiblethen test ansible:
ansible localhost -m pingthe output should looks like this:
localhost | SUCCESS => {
"changed": false,
"ping": "pong"
}configure the hosts file inventory containing the target hosts located at /etc/ansible/hosts or create a hosts file at a specific location :
sudo nano /etc/ansible/hosts
# or in local file
sudo nano hoststhe file contains already some example, for our usage, we must define this computer, because it will be the main server and the other server nodes if needed. Of course this configuration is depending the network availability and architecture. This is just an exemple:
[servers]
server1 ansible_host=localhost ansible_connection=local
server2 ansible_host=20.199.113.xxx ansible_user=xxx
[main]
server1
[web]
server1
server2
[db]
server1
server2
[file]
server1
[network]
server1
server2the localhost is set with the variable ansible_connection=local to avoid using the ssh connection to reach itself. A specific user can be set for external servers, The ssh key pair connection is used for this example. The public key of the localhost must be set as authorized key in the remote hosts. more details can be seen here: Ansible inventory doc.
to test the good configuration of the inventory, the Ansible ping command can be send to all the inventory:
ansible all -m ping
# or by using local hosts file
ansible -i hosts all -m pingand all hosts should reply to the command successfully:
server1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
server2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}Setup the hosts passwords in an Ansible vault to secure them, for that, create a dictionary with the passwords, for exemple, edit the vault file :
nano Ansible/group_vars/servers/my_vault.ymland set the password of the hosts:
my_vault:
server1:
ansible_password: XXXX
server2:
ansible_password: XXXXthen encrypt the password vault to remove plan password text
ansible-vault encrypt Ansible/group_vars/servers/my_vault.ymland set the vault password as wanted, the vault file is then encrypted.
Now as we have set a vault password, for each ansible command that needs the passwords, the flag --ask-vault-pass must be added to decrypt the vault passwords.
The vault password can also be set in a password file for example:
echo "password" >> Ansible/password.txtthen the password file can be used to call playbooks that are using the password vault.
The set passwords can be tested by using the debug.yaml playbook:
ansible-playbook -i Ansible/hosts Ansible/debug.yaml --ask-vault-pass
# or
ansible-playbook -i Ansible/hosts Ansible/debug.yaml --vault-password-file Ansible/password.txtand the set password must be displayed in the output:
Vault password:
PLAY [servers] **************************************************************************************
TASK [Gathering Facts] ******************************************************************************
ok: [server2]
ok: [server1]
TASK [debug] ****************************************************************************************
ok: [server1] => {
"ansible_password": "XXXX"
}
ok: [server2] => {
"ansible_password": "XXXX"
}
PLAY RECAP ******************************************************************************************
server1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0