Ansible (2)

TOC

Here is a series of memos of me trying to use ansible on Debian 12 (bookworm).

FYI: Test code github repo

Searching roles in Ansible Galaxy and ansible-galaxy

Ansible Galaxy is a curation site for Ansible scripts. They are offered in 2 formats:

• Roles – data downloaded as “git clone ...”.
• Collections – data downloaded in “*.tar.gz” format.

Once some interesting script is found from the search on the Ansible Galaxy web site, execute the listed command. E.g.:

 $ ansible-galaxy ansible-galaxy role install foo.bar
 ...

Actual data seems to be coming from github.repository and is downloaded to the default location ANSIBLE_HOME which is ~/.ansible.

The default search path for the role can be found in the default ansible.cfg template as:

# (pathspec) Colon separated paths in which Ansible will search for Roles.
roles_path={{ ANSIBLE_HOME ~ "/roles:/usr/share/ansible/roles:/etc/ansible/roles" }}

This “~” (tilde) operator is a jinja string concatenation operator.

These scripts tend to address generic administration tasks on remote hosts and a bit complicated. Also, some of them are old and uses deprecated features. Let me use them carefully only as reference examples to learn Ansible.

Creating an initial system setup playbook

Let me expand the “Playbook to install multiple packages (use roles)” example to create an initial system setup playbook. .

Creating a full project template with ansible-galaxy

Let me create a full project template with ansible-galaxy as:

 $ cd /path/to/ansible-config-data/
 $ cat >ansible.cfg << EOF
[defaults]
# (pathlist) Comma separated list of Ansible inventory sources
inventory=inventory.yml
# disables searching roles in ~/.ansible/roles
roles_path=./roles
EOF
 $ cat >inventory.yml << EOF
---
all:
  hosts:
    localhost:
      ansible_connection: local
EOF
 $ ansible-galaxy init roles/base

This creates a nice source template. Let me merge what was presented in “Playbook to install multiple packages (use roles)” to this template.

 $ tree
.
├── README.md
├── ansible.cfg
├── inventory.yml
├── pb_main.yml
└── roles
    └── base
        ├── README.md
        ├── defaults
        │   └── main.yml
        ├── files
        ├── handlers
        │   └── main.yml
        ├── meta
        │   └── main.yml
        ├── tasks
        │   ├── install.yml
        │   ├── main.yml
        │   ├── remove.yml
        │   └── upgrade.yml
        ├── templates
        ├── tests
        │   ├── inventory
        │   └── test.yml
        └── vars
            └── main.yml

Read “Role directory structure” for explanation.

Module to setup APT repository configuration

Let me setup APT repository using deb822 format using following modules:

• ansible.builtin.file – remove file
• ansible.builtin.deb822_repository

roles/base/tasks/apt_setup.yml:

---
- name: Remove /etc/apt/sources.list
  ansible.builtin.file:
    path: /etc/apt/sources.list
    state: absent

- name: Set APT repository (debian)
  ansible.builtin.deb822_repository:
    name: debian
    types:
      - deb
      - deb-src
    uris: http://deb.debian.org/debian
    suites:
      - bookworm
      - bookworm-updates
      - bookworm-backports
    components:
      - main
      - non-free-firmware
      - contrib
      - non-free

- name: Set APT repository (debian-security)
  ansible.builtin.deb822_repository:
    name: debian-security
    types:
      - deb
      - deb-src
    uris: https://security.debian.org/debian-security/
    suites:
      - bookworm-security
    components:
      - main
      - non-free-firmware
      - contrib
      - non-free

ansible.builtin.file can also be used to create files and directories and to set permissions on them.

Module to copy configuration file

Let me setup /etc/sudoers.d/passwordless configuration file using following module:

• ansible.builtin.copy

roles/base/tasks/sudoers.yml:

---
- name: Allow passwordless for all %sudo
  ansible.builtin.copy:
    src: etc/sudoers.d/passwordless
    dest: /etc/sudoers.d/passwordless
    owner: root
    group: root
    mode: '0644'
  tags:
    - sudoers

roles/base/files/etc/sudoers.d/passwordless:

# No passowrd required for the user in sudo group
# please note the last match wins configuration
%sudo ALL = (ALL:ALL) NOPASSWD: ALL
# No password for 8 hours
#Defaults timestamp_timeout = 480
#Defaults timestamp_type = global

Here, a file specified by the relative path from roles/base/files is copied to the remote system.

Module to setup configuration file from a template file

Similar to ansible.builtin.copy module, ansible.builtin.template module can setup using jinja template files specified by the relative paths from roles/base/templates.

• ansible.builtin.template

The template file uses .j2 filename extension as a convention. This helps vim to apply the jinja syntax highlight.

Modules to execute the shell command

Although using proper builtin modules is desirable in many cases, executing an arbitrary program can be quite handy.

There are 4 modules to accommodate this.

• Python on the remote system is required:
  • ansible.builtin.command – No piping and redirects (C 2016)
  • ansible.builtin.shell – Piping and redirects allowed (C 2018)
• Python on the remote system is NOT required:
  • ansible.builtin.raw – SSH command execution (C 2012)
  • ansible.builtin.script – Copy script and execute (C 2012)