Ansible Automation
Manager node:
Managed nodes:
Ansible by default manages machines over SSH and assumes SSH keys are being used. Ansible only needs to be installed on a machine to be able to manage other machines and it doesn't leave software installed or running on managed machines.
sudo apt update
sudo apt install python
Install Pip
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py --user
export "PATH=$PATH:/home/ubuntu/.local/bin/"
echo "PATH=$PATH:/home/ubuntu/.local/bin/" >> ~/.bashrc
Then install ansible
pip install --user ansible
ansible --version
The purpose of the credentials folder is to store sensitive data. The file 'id_rsa' is an encrypted private key, ansible can work with it via the credentials.yml
file.
To launch ansible with the ability to unlock the encrypted file, add --ask-vault-pass
to the launch command.
The encrypted file can be replaced with a clear text key, in such case launching ansible with --ask-vault-pass
is unnecessary-
To modify the file, position yourself in Ansible
and use the command ansible-vault edit credentials/id_rsa
.
To replace the key with your own encrypted key, copy your key file inside credentials and launch ansible-vault encrypt credentials/filename
It is the core component of this configuration, it contains all the tasks that are going to be performed and more environment specific options.
Change directory into Ansible
folder, then update the inventory.ini
file with the actual IP addresses of the target machines.
To unlock the Ansible Vault a password is required. Such password can be input interactively at runtime by providing the --ask-vault-pass
parameter to ansible or non interactivally via a vault password file. The path to such file can be set via a parameter to ansible or an environment variable:
Create the password file
echo "mypassword" > ~/.vault_pass
chmod 600 ~/.vault_pass
Using the password file parameter, appending the following to ansible commands:
--vault-password-file ~/.vault_pass
Via environment variable:
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass
ansible-playbook loadBalancer.yml
Note: if password is required for sudo privileges on the target machine, append the --ask-become-pass
parameter to the command above
Vars you may want to change / override in loadbalancer
role:
logs_retention
which governs how long the log files are retained on the machine
In the templates
directory for the loadbalancer
role you'll find template files used for:
haproxy.cfg
: HAProxy main config fileansible-playbook webServer.yml --ask-vault-pass
Note: if password is required for sudo privileges on the target machine, append the --ask-become-pass
parameter to the command above
As stated previously, remove --ask-vault-pass
if you are not using any encrypted file.
You can limit your run to one or more roles or tasks by editing the playbook in this way
- { role: rolename, tags: "tagname" }
and launching the playbook with --tags "tagname"
ansible-playbook playbook.yml --ask-become-pass --ask-vault-pass --tags "tagname"
Vars you may want to change / override in the geoserver role:
tomcat_allowed_origins
: allowed Origins for Tomcat
logs_retention
: which governs how long the log files are retained on the machine
audits_retention
: which governs how long the log files are retained on the machine
java_opts
: which governs JVM, Tomcat and GeoServer settings
git_username
, git_email
, repo_name
, repo_url
: which determine what Gitlab repository to clone the GeoServer datadir from and what git user settings
geoserver_admin_user
, geoserver_admin_pass
: should match geoserver credentials set in the provided datadir from gitlab
geoserver_pg_user
, geoserver_pg_pass
: these credentials will be used to create a user in PSQL and create the context.xml
file with JNDI connection pool to PSQL for GeoServer
In the templates
directory for the GeoServer role you'll find template files used for:
context.xml
: JNDI connection pool settingsserver.xml
: Tomcat listening ports and logging AccessLogValve settings web.xml
: CORS settingsgeoserver
: config file to rotate GeoServer logsansible-playbook webServer.yml --ask-vault-pass --tags config_update
This will trigger two tasks in the play to: