28 mars 2019 – organisé par Evolix
$ who
Jérémy Lecour <jlecour@evolix.fr>
Grégory Colpart <reg@evolix.fr>
$ whois Evolix
EVOLIX-AS : AS 197696
$ man Evolix
Open Source managed hosting provider
$ uptime
up 14 years, 20 users
$ whereis Evolix
/fr/Marseille, /fr/Aix, /fr/Paris, /ca/Montréal
$ top
Linux/BSD servers: 800, customers: 120
24-26 septembre 2019 à Atlanta
Ansible Best Practices: Roles and Modules
###
# ansible-playbook evolinux.yml --ask-vault-pass --diff --check
---
- hosts: all
gather_facts: yes
become: yes
vars_files:
- vars/evolinux-secrets.yml
roles:
- evolinux-base
- evolinux-users
###
# ansible-playbook upgrade.yml -K --ask-vault-pass --skip-tags post-upgrade --diff (--check)
#
# The upgrade has 3 steps :
# 1. Run the playbook with "--skip-tags post-upgrade" before dist-upgrade
# 2. SSH into the server to do `apt dist-upgrade`
# 3. Run the playbook with "--skip-tags pre-upgrade" after dist-upgrade
#
# Reference documentation can be found at
# https://wiki.evolix.org/HowtoDebian/MigrationJessieStretch
#
# Each group of task has one or multiple tags to selectively run tasks.
# see https://docs.ansible.com/ansible/latest/user_guide/playbooks_tags.html
# roles/minifirewall/handlers/main.yml
---
- name: restart minifirewall
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
- name: restart minifirewall (noop)
meta: noop
register: minifirewall_init_restart
failed_when: False
changed_when: False
# roles/minifirewall/tasks/main.yml
- set_fact:
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed \
| ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
# roles/minifirewall/defaults/main.yml
minifirewall_restart_if_needed: True
# firewall.yml
##
# ansible-playbook firewall.yml
---
- hosts: all
gather_facts: yes
become: yes
vars:
# Set this variable to False to disable the restart handler execution.
minifirewall_restart_if_needed: True
roles:
- minifirewall
---
- blockinfile:
dest: "{{ minifirewall_tail_file }}"
marker: "# {mark} PRIVATE LAN"
block: |
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
notify: "{{ minifirewall_restart_handler_name }}"
# roles/upgrade-jessie-to-stretch/tasks/main.yml
---
- name: "System compatibility checks"
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('8', '>=')
- ansible_distribution_major_version | version_compare('9', '<=')
msg: only compatible with Debian = 8 and 9
when: upgrade_stretch_check_compatibility
- include: backup.yml
tags: backup
- include_role:
name: etc-git
tags: etc-git-install
- include_role:
name: etc-git
tasks_from: commit.yml
vars:
commit_message: "Ansible pre-run upgrade-jessie-to-stretch.yml"
tags: etc-git-commit
- include: mysql-pre.yml
when: is_mysql.rc == 0 or is_mariadb.rc == 0
tags: mysql
- command: "cat /etc/evolinux/todo.txt"
changed_when: False
failed_when: False
check_mode: no
register: evolinux_todo
- debug:
var: evolinux_todo.stdout_lines
when: evolinux_todo.stdout != ""
# roles/haproxy/tasks/main.yml
- name: Copy HAProxy configuration
template:
src: "{{ item }}"
dest: /etc/haproxy/haproxy.cfg
with_first_found:
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"
- "templates/haproxy/haproxy.default.cfg.j2"
- "haproxy.default.cfg.j2"
# vars/main.yml
users_db:
foo:
name: foo
uid: 42081
fullname: 'Mr Foo'
password_hash: "$6$6/CHVo1Ftrsmn805xY"
bar:
name: bar
uid: 42082
fullname: 'Mr Bar'
password_hash: "$6$6/Ctrsmn80HVo1F5xY"
ssh_keys:
- "ssh-rsa AAAAB3NzaC1ycBe6mRGUw=="
# roles/users/tasks/main.yml
- assert:
that: users_db != {}
msg: "Error: empty variable 'users_db'!"
- include: adduser.yml
vars:
user: "{{ users_db[item] }}"
with_items: "{{ users_present | default([]) }}"
- include: deluser.yml
loop_control:
loop_var: name
with_items: "{{ users_absent | default([]) }}"
# roles/users/tasks/main.yml
- set_fact:
users_absent: "{{ (users_absent_for_all + users_absent_for_group \
+ users_absent_for_host) | unique }}"
- set_fact:
users_present: "{{ (users_present_for_all + users_present_for_group \
+ users_present_for_host | unique | difference(users_absent) }}"
# group_vars/all.yml
users_present_for_all:
- foo
users_absent_for_all:
- qux
# group_vars/database.yml
users_present_for_group: []
# host_vars/sql00.yml
users_present_for_host:
- bar
# /etc/filebeat/filebeat.yml
# Elasticsearch output
output.elasticsearch:
hosts: ['192.168.10.42:9200', '192.168.10.43:9200']
# host_vars/sql00.yml
---
filebeat__elasticsearch_hosts:
- "192.168.10.42:9200"
- "192.168.10.43:9200"
# roles/filebeat/templates/filebeat.yml.j2
# Elasticsearch output
output.elasticsearch:
hosts: {{ filebeat__elasticsearch_hosts | to_yaml }}