====== Ansible ======

=== Sprawdzanie, czy dzisiejszy, "cronowy" playbook wykonał się prawidłowo ===

  cat ansible.log | grep -E "^$(date "+%Y-%m-%d").*failed" | grep -Ev "failed\=0" | wc -l

Zakładając, że powyższe polecenie jest w pliku check_failed.sh i ścieżka do pliku z logami jest poprawna, można wysłać raport raport na IRC:

<code>
---
- name: Send status on IRC
  hosts: my-host.ping.local

  tasks:

  - name: Check failed tasks
    command: '/usr/bin/bash /home/lukasz/ansible/helpers/check_failed.sh'
    register: fails

  - name: Send a report to a fedora-pl channel
    irc:
      server: irc.libera.chat
      port: 6667
      nick: raport
      channel: '#fedora-pl'
      msg: "[ANSIBLE] Todays failed tasks: {{ fails['stdout_lines'][0] }}."
</code>

=== Plik konfiguracyjny ===

  [defaults]                                                                                                                             
  inventory=~/ansible/hosts
  log_path=~/ansible/var/ansible.log
  remote_user=ansemble
  interpreter_python=auto_silent
  [privilege_escalation]
  become=True
  become_ask_pass=False
  become_method=sudo
  [persistent_connection]
  [connection]
  [colors]
  [selinux]
  [diff]
  [galaxy]
  [inventory]
  [netconf_connection]
  [paramiko_connection]
  [jinja2]
  [tags]
  [runas_become_plugin]
  [su_become_plugin]
  [sudo_become_plugin]
  [callback_tree]
  [ssh_connection]
  ssh_args = -C -o ServerAliveInterval=33 -o ControlMaster=auto -o ControlPersist=66s
  timeout=21
  [winrm]
  [inventory_plugins]
  [inventory_plugin_script]
  [inventory_plugin_yaml]
  [url_lookup]
  [powershell]
  [vars_host_group_vars]

Ustawienie //auto_silent// usuwa ostrzeżenia o wersji Pythona z każdego przebiegu playbooków. Warto użyć nazwy użytkownika, która nie jest zbyt często zgadywana przez boty.

=== Pętle w playbookach oraz helpery ===

Przykład playbooka korzystącego z pętli:

<code>
---
- name: Enable users
  hosts: all

  tasks:

  - name: Ensure that users exists and are in correct groups
    include_tasks: helpers/users_enable.yaml
    loop:
    - {username: lukasz, comment: Lukasz, sshkey: "{{ lookup('file', 'ssh_keys/lukasz') }}"}

#  - name: Ensure that users can not login
#    include_tasks: helpers/users_disable.yaml
#    loop:
#    - {username: qwerty, comment: QWERTY, sshkey: "{{ lookup('file', 'ssh_keys/QWERTY') }}"}
</code>

Plik helpers/user_enable.yaml:

<code>
- debug:
    msg: user - {{ item.username }}


- name: Ensure user exists and is in correct groups on FreeBSD
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /usr/local/bin/bash
    groups: wheel
    append: yes
  when: ansible_os_family == 'FreeBSD'

- name: Ensure user exists and is in correct groups on Gentoo and RedHat-like hosts
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /bin/bash
    groups: wheel
    append: yes
  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat'

- name: Ensure user exists and is in correct groups on Debian-like hosts
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /bin/bash
    groups: sudo
    append: yes
  when: ansible_os_family == 'Debian'

- name: Set authorized SSH keys for user
  authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.sshkey }}"
    state: present
    exclusive: True

- name: Ensure user is able to log in
  user:
    name: "{{ item.username }}"
    password_lock: no

- name: Set permissions to home directory
  file:
    path: /home/{{ item.username }}
    owner: "{{ item.username }}"
    group: "{{ item.username }}"
    mode: '700'
</code>

Plik helpers/user_disable.yaml:

<code>
- debug:
    msg: user - {{ item.username }}

- name: Ensure user is not able to log in
  user:
    name: "{{ item.username }}"
    password_lock: yes

- name: Unset authorized SSH keys for user
  authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.sshkey }}"
    state: absent

- name: Set permissions to home directory on Linux
  file:
    owner: root
    group: root
    path: /home/{{ item.username }}
    mode: '700'
  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' or ansible_os_family == 'Debian'

- name: Set permissions to home directory on FreeBSD
  file:
    owner: root
    group: wheel
    path: /home/{{ item.username }}
    mode: '700'
  when: ansible_os_family == 'FreeBSD'
</code>

Plik w katalogu //ssh_keys// jest skopiowany z //~/.ssh/id_rsa.pub//.

=== Ansible 2.9 na CentOS Stream 8 ===

W repozytorium ósmego Streama pojawiły się pakiety ansible-core w nowych wersjach, niekompatybilne z playbookami pisanymi pod wersję 2.9. Stara wersja jest wciąż dostępna na EPEL-u:

  dnf install epel-release
  dnf install ansible --exclude=ansible-core

Do pliku /etc/yum.conf warto dodać wyjątek, żeby nie musieć o nim ciągle pamiętać.

  exclude=ansible-core