I decided to start another series that will intermingle with the other assorted nonsense on this blog. I'm calling it Ansible Archives. It is basically going to cover how and why I wrote a playbook, and the thought processes behind it. Like Dan Langille, this is more for my own memory, but may also help someone out there.
So the first chapter of this is actually one of the first set of playbooks that I wrote, called provision, which is also the first playbooks that I turned into a role. I call the role provision. It is configured to provision hosts in my homelab. There are currently four types of hosts on my network:
- FreeBSD appliances (e.g. TrueNAS, pfSense/OPNsense)
- FreeBSD servers/workstations
- FreeBSD jail servers (primarily using Bastille)
- The odd Devuan linux workstation (e.g. my wife's machines)
I also have multiple architectures, primarily amd64 and ARM (a single RPi 3), giving me three categories of filesystems on hosts:
- Most servers are running ZFS
- The RPi is running UFS on an SD card
- Jails live on a ZFS pool of the jail server, but don't have a pool of their own.
So the provision role's job is to take a host just created, whether server, workstation, or jail, and set it up. At the end of the provisioning run, it should be ready to have whatever unique software installed for it's designated purpose.
So how does this look on my network?
- Determine which of the three categories above the host belongs in (jail, hardware host) and filesystem (zfs or not).
- Clean up /etc/ssh/moduli, removing any modulus less than 3072 bits.
- Set up FreeBSD repositories, including the repo for my poudriere install.
- Install essential packages (like ptyhon, bash, vim, sudo, rsync, etc.), set up /etc/hosts, create a directory for local facts, in case thisis needed, and create a cron job to save the current package list every day.
- Part 2 of the previous step is to install smartmontools and ntp, but only on hardware nodes.
- Part 3 if this step is only applied if the node is a hardware node and running zfs. This step installs the zfstools package and the check_zfs_pool script for snapshot management, and configures both in /etc/crontab.
- User setup. Sets up my user account, the backuppc user, and sets up sudoers entries for both.
- Set up files within user accounts. The bashprompt file is a script I wrote to tell me at a glance at the prompt, what OS the host is, and whether I am a user or root. I've been using this script for 20+ years. I also set up .profiles and .bashrcs here for users and root.
- Next is to set up dma, the Dragonfly Mail Agent, and set up periodic to send emails to my user account every day.
- The last two items are to set up ssh, distributing my user keys as well as the one for the backuppc user, and finally, installing the zabbix client.
So I stand up a new (FreeBSD) box or jail, I make sure the ansible user is installed on the host, keys are accepted from the ansible server, add the new host to the inventory, and then run ansible-playbook provision.yml -e <hostname> from the ansible server's roles directory. This will configure the system and have it ready for further configuration.
Note that while writing this blog post, I actually went through and reviewed the tasks in it, and found and made some very much needed corrections. From minor stuff like updating the python version that gets installed as an essential package from 3.9 to 3.11. As 15.0-RELEASE comes closer, I am probably going to have to update again sooner rather than later. The other thing I did was to make sure I was pushing the correct ssh keys out to the servers. I recently made the transition from rsa to ed25519 ssh keys, and have a separate playbook to push them to existing boxes, but I changed this to insure all boxes get the new keys going forward.
The thing that really makes me happy about this role is that, like I said earlier, you give it the name of a host, and it configures everything that you need, and when it finishes it's run, all of the things you probably forget to configure from machine to machine, like replication or the mail agent, for instance. In my homelab, I configure a new host maybe 3 or 4 times a year.
In future Ansible Archives, I will look at other playbooks and roles I have completed or am working on, though I admit that as I have fleshed things out, actually writing playbooks has tended to taper off.
TODO items Add the ability to provision Devuan boxes. Convert user creation tasks to use ansible vaults for passwords.