From 49a3a9a9e6ef587d005cfa29f85fe8b1f0661a42 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 14:41:00 +0100 Subject: [PATCH 01/20] begins ansible provisioning with basic playbook --- Vagrantfile | 11 ++++------- playbook.yml | 6 ++++++ 2 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 playbook.yml diff --git a/Vagrantfile b/Vagrantfile index 12d9294..5342d98 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -61,11 +61,8 @@ Vagrant.configure(2) do |config| # push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME" # end - # Enable provisioning with a shell script. Additional provisioners such as - # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the - # documentation for more information about their specific syntax and use. - # config.vm.provision "shell", inline: <<-SHELL - # sudo apt-get update - # sudo apt-get install -y apache2 - # SHELL + config.vm.provision "ansible" do |ansible| + ansible.playbook = "playbook.yml" + end + end diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..9b633b9 --- /dev/null +++ b/playbook.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + + tasks: + - name: pwd + command: pwd From 6baa862b182dd5563b00bb0442ba3129733bb177 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 14:44:20 +0100 Subject: [PATCH 02/20] allows for ansible-playbook command provisioning --- ansible.cfg | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ansible.cfg diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..9fd417b --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +inventory = .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory +host_key_checking = False From ef7cee9fd6b11d87e7af743d725e372f5ad142e5 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 14:44:33 +0100 Subject: [PATCH 03/20] gitignores retry files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 8000dd9..a058c8c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .vagrant +*.retry From f35c00598b129901b89fd84c7c3d5ac9b08d3e99 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 15:01:07 +0100 Subject: [PATCH 04/20] symlinks the vagrant-generated inventory to a hosts dir --- ansible.cfg | 2 +- hosts/development | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 120000 hosts/development diff --git a/ansible.cfg b/ansible.cfg index 9fd417b..a5fa946 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,3 @@ [defaults] -inventory = .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory +inventory = ./hosts host_key_checking = False diff --git a/hosts/development b/hosts/development new file mode 120000 index 0000000..3c0a018 --- /dev/null +++ b/hosts/development @@ -0,0 +1 @@ +../.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory \ No newline at end of file From 189bc10c231617c30a9a07055ac61403d7f0cc51 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 15:19:46 +0100 Subject: [PATCH 05/20] disables host key checking on specific host groups, instead of globally --- Vagrantfile | 5 ++++- ansible.cfg | 1 - hosts/insecure_ssh | 5 +++++ 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 hosts/insecure_ssh diff --git a/Vagrantfile b/Vagrantfile index 5342d98..31bf973 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -63,6 +63,9 @@ Vagrant.configure(2) do |config| config.vm.provision "ansible" do |ansible| ansible.playbook = "playbook.yml" + ansible.groups = { + 'development' => ['default'] + } end - + end diff --git a/ansible.cfg b/ansible.cfg index a5fa946..34662e9 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,2 @@ [defaults] inventory = ./hosts -host_key_checking = False diff --git a/hosts/insecure_ssh b/hosts/insecure_ssh new file mode 100644 index 0000000..81a1381 --- /dev/null +++ b/hosts/insecure_ssh @@ -0,0 +1,5 @@ +[insecure_ssh:children] +development + +[insecure_ssh:vars] +ansible_ssh_common_args='-o StrictHostKeyChecking=no' From b3377805b86ce4a1e90cd466a6dd1434a82a99ec Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 15:20:41 +0100 Subject: [PATCH 06/20] disables unnecessary vagrant features for faster `vagrant up` --- Vagrantfile | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 31bf973..c085e17 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -10,6 +10,11 @@ Vagrant.configure(2) do |config| # For a complete reference, please see the online documentation at # https://docs.vagrantup.com. + # disable vagrant-vbguest plugin + if Vagrant.has_plugin?("vagrant-vbguest") + config.vbguest.no_install = true + end + # Every Vagrant development environment requires a box. You can search for # boxes at https://atlas.hashicorp.com/search. config.vm.box = "ubuntu/trusty64" @@ -33,11 +38,8 @@ Vagrant.configure(2) do |config| # your network. # config.vm.network "public_network" - # Share an additional folder to the guest VM. The first argument is - # the path on the host to the actual folder. The second argument is - # the path on the guest to mount the folder. And the optional third - # argument is a set of non-required options. - # config.vm.synced_folder "../data", "/vagrant_data" + # disables the default synced folder - not used in this project + config.vm.synced_folder ".", "/vagrant", disabled: true # Provider-specific configuration so you can fine-tune various # backing providers for Vagrant. These expose provider-specific options. From f59d0edf405ed8158401e887eba8976924eb2a6a Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 16:19:25 +0100 Subject: [PATCH 07/20] adds a staging host, with ssh user specified in inventory --- hosts/staging | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 hosts/staging diff --git a/hosts/staging b/hosts/staging new file mode 100644 index 0000000..42b18c5 --- /dev/null +++ b/hosts/staging @@ -0,0 +1,2 @@ +[staging] +178.62.106.150 ansible_ssh_user='root' From ba5ba66104aa14683408cef4e620a1b1496c2002 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Tue, 5 Jul 2016 16:31:00 +0100 Subject: [PATCH 08/20] adds admin_user role, only to be performed on non-development hosts --- playbook.yml | 9 ++++++--- roles/admin_user/tasks/main.yml | 5 +++++ 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 roles/admin_user/tasks/main.yml diff --git a/playbook.yml b/playbook.yml index 9b633b9..9a42d58 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,6 +1,9 @@ --- - hosts: all - tasks: - - name: pwd - command: pwd + pre_tasks: + - name: pwd + command: pwd + + roles: + - { role: admin_user, when: "'development' not in group_names" } diff --git a/roles/admin_user/tasks/main.yml b/roles/admin_user/tasks/main.yml new file mode 100644 index 0000000..21ccc4f --- /dev/null +++ b/roles/admin_user/tasks/main.yml @@ -0,0 +1,5 @@ +--- + +- name: create admin group + group: + name: admin From bbf618edcbfd9c91f4c1375d6c75acab6d14636a Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 12:55:00 +0100 Subject: [PATCH 09/20] creates admin user with key-based ssh and paswordless sudo --- roles/admin_user/tasks/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/admin_user/tasks/main.yml b/roles/admin_user/tasks/main.yml index 21ccc4f..379e72f 100644 --- a/roles/admin_user/tasks/main.yml +++ b/roles/admin_user/tasks/main.yml @@ -3,3 +3,22 @@ - name: create admin group group: name: admin + +- name: Allow admin group to have passwordless sudo + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^%admin' + line: '%admin ALL=(ALL) NOPASSWD: ALL' + +- name: create admin user in admin group + user: + name: admin + groups: admin + append: yes + shell: /bin/bash + +- name: add ssh public key for admin user + authorized_key: + user: admin + key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" From c1c76003681ef5c76aed0b2399cac1e24ac7ff81 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 12:57:01 +0100 Subject: [PATCH 10/20] adds staging to insecure_ssh group. requires workaround of renaming files to order alphabetically --- hosts/{development => _development} | 0 hosts/{staging => _staging} | 0 hosts/insecure_ssh | 1 + 3 files changed, 1 insertion(+) rename hosts/{development => _development} (100%) rename hosts/{staging => _staging} (100%) diff --git a/hosts/development b/hosts/_development similarity index 100% rename from hosts/development rename to hosts/_development diff --git a/hosts/staging b/hosts/_staging similarity index 100% rename from hosts/staging rename to hosts/_staging diff --git a/hosts/insecure_ssh b/hosts/insecure_ssh index 81a1381..b32d67f 100644 --- a/hosts/insecure_ssh +++ b/hosts/insecure_ssh @@ -1,5 +1,6 @@ [insecure_ssh:children] development +staging [insecure_ssh:vars] ansible_ssh_common_args='-o StrictHostKeyChecking=no' From 58eed449f71a383078487b9ef6287e123f1188e7 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 15:47:33 +0100 Subject: [PATCH 11/20] adds remote_user_test role. removes pre_tasks and fact gather. sets remote users with vars. removes ansible_ssh_user from inventory to allow more granular setting. --- group_vars/development.yml | 5 +++++ group_vars/staging.yml | 3 +++ hosts/.gitignore | 1 + hosts/_staging | 2 -- hosts/_staging.example | 5 +++++ playbook.yml | 8 +++++--- roles/admin_user/tasks/main.yml | 4 ++++ roles/admin_user/vars/main.yml | 3 +++ roles/remote_user_test/tasks/main.yml | 10 ++++++++++ 9 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 group_vars/development.yml create mode 100644 group_vars/staging.yml create mode 100644 hosts/.gitignore delete mode 100644 hosts/_staging create mode 100644 hosts/_staging.example create mode 100644 roles/admin_user/vars/main.yml create mode 100644 roles/remote_user_test/tasks/main.yml diff --git a/group_vars/development.yml b/group_vars/development.yml new file mode 100644 index 0000000..4f0a714 --- /dev/null +++ b/group_vars/development.yml @@ -0,0 +1,5 @@ +--- + +# this actually gets overriden by ansible_ssh_user in the inventory, +# but should be defined here regardless, to avoid an undefined variable error +my_remote_user: vagrant diff --git a/group_vars/staging.yml b/group_vars/staging.yml new file mode 100644 index 0000000..cf47f33 --- /dev/null +++ b/group_vars/staging.yml @@ -0,0 +1,3 @@ +--- + +my_remote_user: admin diff --git a/hosts/.gitignore b/hosts/.gitignore new file mode 100644 index 0000000..987a4be --- /dev/null +++ b/hosts/.gitignore @@ -0,0 +1 @@ +_staging diff --git a/hosts/_staging b/hosts/_staging deleted file mode 100644 index 42b18c5..0000000 --- a/hosts/_staging +++ /dev/null @@ -1,2 +0,0 @@ -[staging] -178.62.106.150 ansible_ssh_user='root' diff --git a/hosts/_staging.example b/hosts/_staging.example new file mode 100644 index 0000000..874a36a --- /dev/null +++ b/hosts/_staging.example @@ -0,0 +1,5 @@ +# rename this file to _staging, uncomment the lines below, +# and add your own staging hostname + +#[staging] +#your_staging_hostname_or_ip diff --git a/playbook.yml b/playbook.yml index 9a42d58..e98964f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,9 +1,11 @@ --- - hosts: all + gather_facts: no - pre_tasks: - - name: pwd - command: pwd + # pre_tasks: + # - name: pwd + # command: pwd roles: - { role: admin_user, when: "'development' not in group_names" } + - { role: remote_user_test, tags: ['remote_user_test'] } diff --git a/roles/admin_user/tasks/main.yml b/roles/admin_user/tasks/main.yml index 379e72f..907b289 100644 --- a/roles/admin_user/tasks/main.yml +++ b/roles/admin_user/tasks/main.yml @@ -1,10 +1,12 @@ --- - name: create admin group + remote_user: "{{ admin_user_role_remote_user }}" group: name: admin - name: Allow admin group to have passwordless sudo + remote_user: "{{ admin_user_role_remote_user }}" lineinfile: dest: /etc/sudoers state: present @@ -12,6 +14,7 @@ line: '%admin ALL=(ALL) NOPASSWD: ALL' - name: create admin user in admin group + remote_user: "{{ admin_user_role_remote_user }}" user: name: admin groups: admin @@ -19,6 +22,7 @@ shell: /bin/bash - name: add ssh public key for admin user + remote_user: "{{ admin_user_role_remote_user }}" authorized_key: user: admin key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" diff --git a/roles/admin_user/vars/main.yml b/roles/admin_user/vars/main.yml new file mode 100644 index 0000000..82a3576 --- /dev/null +++ b/roles/admin_user/vars/main.yml @@ -0,0 +1,3 @@ +--- + +admin_user_role_remote_user: root diff --git a/roles/remote_user_test/tasks/main.yml b/roles/remote_user_test/tasks/main.yml new file mode 100644 index 0000000..03b5e1d --- /dev/null +++ b/roles/remote_user_test/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: get current username + command: id -u -n + remote_user: "{{ my_remote_user }}" + register: user_name + +- name: print current username + debug: + var: user_name.stdout From 72e299411c73b6c15a1a395cf96084b9508d03d1 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 15:51:01 +0100 Subject: [PATCH 12/20] adds readme to inventory dir, ignores inventory .md files via ansible.cfg --- ansible.cfg | 1 + hosts/README.md | 31 +++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 hosts/README.md diff --git a/ansible.cfg b/ansible.cfg index 34662e9..916bc23 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,2 +1,3 @@ [defaults] inventory = ./hosts +inventory_ignore_extensions = .md, .txt diff --git a/hosts/README.md b/hosts/README.md new file mode 100644 index 0000000..d3dc3a0 --- /dev/null +++ b/hosts/README.md @@ -0,0 +1,31 @@ +# Inventory + +Note: this file would normally be parsed as an inventory file! However, we have ignored .md files in ansible.cfg + +## Why are some inventory file names prefixed with underscores? + +This is a workaround for a problem. The contents of the hosts directory are processed in alphabetical order. This means that if you had inventory files 'a' and 'b', and in 'a' you tried to reference a group name that is defined in 'b', you would get an error like: `"Section [mysection:children] includes undefined group: mygroup"` + +To work around this, we make sure all groups are defined first (hence adding the underscore to make them first alphabetically). + +# What is the insecure_ssh inventory file? + +(The insecure_ssh file is based on a solution found here: http://stackoverflow.com/a/35564773/3293805) + +This file adds a nested inventory group that allows us to disable strict host key checking for a group of servers. Strict host key checking is how SSH determines whether the machine you're connecting to is the machine you really think it is, by checking its 'fingerprint'. + +But why would we want to disable this? + +Disabling string host key checking is particularly useful for the development group, the server for which (in this project) is built on vagrant. If you do a `vagrant destroy` followed by a `vagrant up`, you will have a brand new machine with a brand new 'fingerprint', but with the same IP address of 127.0.0.1. Thus, the next time you run the ansible-playbook command, the connection will fail, and you'll see an error message like: + +> WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! + +In fact, nothing nasty is happening, we've just rebuilt our machine. By disabling strict host key checking, we allow ansible to continue to connect to the machine. + +Disabling string host key checking can also be useful if you test your playbooks against a remote host, and you occasionally rebuild that host (e.g. on AWS or Digital Ocean). For this reason, this project also disables strict host key checking for the 'staging' group. + +To disable strict host key checking for a group, add the group name under `[insecure_ssh:children]` in the 'insecure_ssh' file. This should not be done on production, or indeed any server you plan to deploy sensitive information to (which might include staging). Use at your own risk. + +Note: +* Running `vagrant provision` after rebuilding your vagrant machine does not throw up the above warning, so disabling strict host key checking is only necessary if you're trying to run ansible directly, e.g. via `ansible-playbook`. Likewise, `vagrant ssh` does not throw up the warning. +* Disabling strict host key checking in ansible does not have an effect when SSH'ing into the machine using the ssh command - you will see the above warning. A workaround in this case is to remove the old 'fingerprint' from your ~/.ssh/known_hosts file. Look for the IP address of the machine, and remove that line from the file. From b5ff6935ea368be86940ddc4944f057e5489886f Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 19:03:36 +0100 Subject: [PATCH 13/20] gets home dir of current user --- roles/remote_user_test/tasks/main.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/remote_user_test/tasks/main.yml b/roles/remote_user_test/tasks/main.yml index 03b5e1d..3748ee7 100644 --- a/roles/remote_user_test/tasks/main.yml +++ b/roles/remote_user_test/tasks/main.yml @@ -5,6 +5,11 @@ remote_user: "{{ my_remote_user }}" register: user_name -- name: print current username +- name: print home directory + command: echo $HOME + remote_user: "{{ my_remote_user }}" + register: user_home + +- name: print username and home dir debug: - var: user_name.stdout + msg: "user: {{ user_name.stdout }} --- home: {{ user_home.stdout }}" From e4a0351c78c7eadeac09c8de4a3310c5eb2fc4d6 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 19:09:36 +0100 Subject: [PATCH 14/20] adds a sudo test --- roles/remote_user_test/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/remote_user_test/tasks/main.yml b/roles/remote_user_test/tasks/main.yml index 3748ee7..8cada75 100644 --- a/roles/remote_user_test/tasks/main.yml +++ b/roles/remote_user_test/tasks/main.yml @@ -13,3 +13,8 @@ - name: print username and home dir debug: msg: "user: {{ user_name.stdout }} --- home: {{ user_home.stdout }}" + +- name: test sudo pwd + remote_user: "{{ my_remote_user }}" + become: yes + command: pwd From 3d6c987e7b5d3bdf61fe924c95b1c18c839bdf0a Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 19:10:14 +0100 Subject: [PATCH 15/20] deletes commented code --- playbook.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/playbook.yml b/playbook.yml index e98964f..ed401db 100644 --- a/playbook.yml +++ b/playbook.yml @@ -2,10 +2,6 @@ - hosts: all gather_facts: no - # pre_tasks: - # - name: pwd - # command: pwd - roles: - { role: admin_user, when: "'development' not in group_names" } - { role: remote_user_test, tags: ['remote_user_test'] } From 7fe6b96e162abc85d772e055fa2b7dad557988c9 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 19:12:32 +0100 Subject: [PATCH 16/20] moves remote user to playbook level --- playbook.yml | 1 + roles/remote_user_test/tasks/main.yml | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/playbook.yml b/playbook.yml index ed401db..e709166 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,6 +1,7 @@ --- - hosts: all gather_facts: no + remote_user: "{{ my_remote_user }}" roles: - { role: admin_user, when: "'development' not in group_names" } diff --git a/roles/remote_user_test/tasks/main.yml b/roles/remote_user_test/tasks/main.yml index 8cada75..acb78f0 100644 --- a/roles/remote_user_test/tasks/main.yml +++ b/roles/remote_user_test/tasks/main.yml @@ -2,12 +2,10 @@ - name: get current username command: id -u -n - remote_user: "{{ my_remote_user }}" register: user_name - name: print home directory command: echo $HOME - remote_user: "{{ my_remote_user }}" register: user_home - name: print username and home dir @@ -15,6 +13,5 @@ msg: "user: {{ user_name.stdout }} --- home: {{ user_home.stdout }}" - name: test sudo pwd - remote_user: "{{ my_remote_user }}" become: yes command: pwd From 0c64ba02a23356285f9bd03353e98275933f8fb8 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 19:57:59 +0100 Subject: [PATCH 17/20] updates readmes --- README.md | 9 +++++++++ hosts/README.md | 18 +++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..608b675 --- /dev/null +++ b/README.md @@ -0,0 +1,9 @@ +# Ansible "Proof of Concept" + +An ansible project that solves and documents some of the issues I've faced while using ansible, vagrant, and remote servers together. + +Keeping these examples in a simple, isolated project lets me refer to known working examples, in case I ever have issues while working in more complex projects. + +## Inventory + +See hosts/README.md for notes specific to inventory files. diff --git a/hosts/README.md b/hosts/README.md index d3dc3a0..1658aea 100644 --- a/hosts/README.md +++ b/hosts/README.md @@ -2,13 +2,29 @@ Note: this file would normally be parsed as an inventory file! However, we have ignored .md files in ansible.cfg +## Why is the _development inventory file a symlink? + +When you provision a vagrant machine with ansible, an inventory file is automatically generated at .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory. This is the inventory file that is used by `vagrant provision` and `vagrant ssh` to connect to the box. + +When we come to add more environments like staging and production, it would be useful to have the details in this file replicated in our hosts directory. Then we can tell ansible.cfg to look in this one directory for connection information to all our hosts. In the interest of keeping things DRY, rather than duplicating this file, we add a symlink to it's original location. This way, it will stay updated if the details of the box ever change, or if we add multiple boxes. + +By default, the vagrant_ansible_inventory doesn't add the hosts to any groups. However, you can add each box to as many groups you wish within the provisioner configuration in the Vagrantfile, like this: + +``` +ansible.groups = { + 'development' => ['default'] +} +``` + +We can then reference the 'development' group in our playbooks. + ## Why are some inventory file names prefixed with underscores? This is a workaround for a problem. The contents of the hosts directory are processed in alphabetical order. This means that if you had inventory files 'a' and 'b', and in 'a' you tried to reference a group name that is defined in 'b', you would get an error like: `"Section [mysection:children] includes undefined group: mygroup"` To work around this, we make sure all groups are defined first (hence adding the underscore to make them first alphabetically). -# What is the insecure_ssh inventory file? +## What is the insecure_ssh inventory file? (The insecure_ssh file is based on a solution found here: http://stackoverflow.com/a/35564773/3293805) From 81ffa519ae7a1d62a99e172b2529521faf34cf0a Mon Sep 17 00:00:00 2001 From: discopatrick Date: Fri, 8 Jul 2016 20:28:29 +0100 Subject: [PATCH 18/20] changes the vagrant ansible provisioner default playbook, and updates readme --- README.md | 9 +++++++-- Vagrantfile | 2 +- vagrant-default-playbook.yml | 4 ++++ 3 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 vagrant-default-playbook.yml diff --git a/README.md b/README.md index 608b675..199d0c0 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,14 @@ -# Ansible "Proof of Concept" +# Ansible "Proof of Concepts" project -An ansible project that solves and documents some of the issues I've faced while using ansible, vagrant, and remote servers together. +An ansible project that solves and documents some of the issues I've faced while using ansible, vagrant local vms, and remote servers together. Keeping these examples in a simple, isolated project lets me refer to known working examples, in case I ever have issues while working in more complex projects. ## Inventory See hosts/README.md for notes specific to inventory files. + +## Playbooks + +* *vagrant-default-playbook.yml* - this is a near-empty playbook that vagrant runs by default on `vagrant up`. We don't really want a playbook to be run automatically (we want to choose from one of the below playbooks), however, using the vagrant ansible provisioner requires that you choose a playbook, so we just give it this dummy playbook to keep it happy. + diff --git a/Vagrantfile b/Vagrantfile index c085e17..6258689 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -64,7 +64,7 @@ Vagrant.configure(2) do |config| # end config.vm.provision "ansible" do |ansible| - ansible.playbook = "playbook.yml" + ansible.playbook = "vagrant-default-playbook.yml" ansible.groups = { 'development' => ['default'] } diff --git a/vagrant-default-playbook.yml b/vagrant-default-playbook.yml new file mode 100644 index 0000000..516f393 --- /dev/null +++ b/vagrant-default-playbook.yml @@ -0,0 +1,4 @@ +--- + +- hosts: all + gather_facts: no \ No newline at end of file From a44f2d2af7d8e176a4a563a7e9be29eaa65c5110 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Sat, 9 Jul 2016 20:37:33 +0100 Subject: [PATCH 19/20] moves vagrant playbook into subdir, updates cfg and readme --- README.md | 3 ++- Vagrantfile | 2 +- ansible.cfg | 5 +++++ vagrant-default-playbook.yml => playbooks/vagrant.yml | 0 4 files changed, 8 insertions(+), 2 deletions(-) rename vagrant-default-playbook.yml => playbooks/vagrant.yml (100%) diff --git a/README.md b/README.md index 199d0c0..458843d 100644 --- a/README.md +++ b/README.md @@ -10,5 +10,6 @@ See hosts/README.md for notes specific to inventory files. ## Playbooks -* *vagrant-default-playbook.yml* - this is a near-empty playbook that vagrant runs by default on `vagrant up`. We don't really want a playbook to be run automatically (we want to choose from one of the below playbooks), however, using the vagrant ansible provisioner requires that you choose a playbook, so we just give it this dummy playbook to keep it happy. +### vagrant.yml +This is a near-empty playbook that vagrant runs by default on `vagrant up`. We don't really want a playbook to be run automatically (we want to choose from one of the below playbooks), however, using the vagrant ansible provisioner requires that you choose a playbook, so we just give it this dummy playbook to keep it happy. You may ask "then why use the ansible provisioner at all?" - because we want it to auto-generate an inventory file for us. \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile index 6258689..0815038 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -64,7 +64,7 @@ Vagrant.configure(2) do |config| # end config.vm.provision "ansible" do |ansible| - ansible.playbook = "vagrant-default-playbook.yml" + ansible.playbook = "playbooks/vagrant.yml" ansible.groups = { 'development' => ['default'] } diff --git a/ansible.cfg b/ansible.cfg index 916bc23..ae5654f 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,3 +1,8 @@ [defaults] inventory = ./hosts inventory_ignore_extensions = .md, .txt + +# by default, playbooks look for a 'roles' dir in the same directory. +# thus, if your playbooks are in a subdirectory of their own, specify +# the roles dir here: +roles_path = ./roles diff --git a/vagrant-default-playbook.yml b/playbooks/vagrant.yml similarity index 100% rename from vagrant-default-playbook.yml rename to playbooks/vagrant.yml From 2ce2f6532f2fe69432520ae5f08aebf67efbfc35 Mon Sep 17 00:00:00 2001 From: discopatrick Date: Sat, 9 Jul 2016 20:42:16 +0100 Subject: [PATCH 20/20] moves admin user playbook into subdir, updates readme --- README.md | 12 +++++++++++- playbook.yml => playbooks/remote-admin-user.yml | 0 2 files changed, 11 insertions(+), 1 deletion(-) rename playbook.yml => playbooks/remote-admin-user.yml (100%) diff --git a/README.md b/README.md index 458843d..558e07f 100644 --- a/README.md +++ b/README.md @@ -12,4 +12,14 @@ See hosts/README.md for notes specific to inventory files. ### vagrant.yml -This is a near-empty playbook that vagrant runs by default on `vagrant up`. We don't really want a playbook to be run automatically (we want to choose from one of the below playbooks), however, using the vagrant ansible provisioner requires that you choose a playbook, so we just give it this dummy playbook to keep it happy. You may ask "then why use the ansible provisioner at all?" - because we want it to auto-generate an inventory file for us. \ No newline at end of file +This is a near-empty playbook that vagrant runs by default on `vagrant up`. We don't really want a playbook to be run automatically (we want to choose from one of the below playbooks), however, using the vagrant ansible provisioner requires that you choose a playbook, so we just give it this dummy playbook to keep it happy. You may ask "then why use the ansible provisioner at all?" - because we want it to auto-generate an inventory file for us. + +### remote-admin-user.yml + +A playbook to add an 'admin' user to your remote machine, so you don't have to use root. + +Most vagrant boxes come with a default 'vagrant' user with passwordless sudo. On the other hand, most remote VPS's come with root access only. It's better to run things as a standard user, and only elevate to root when necessary. + +In this playbook, the very first role is to add the admin user - this is done while logging in as root (set as `remote_user` at task level in the admin_user role, to override the playbook level setting described below). This only needs to be done on remote machines though, so the 'development group' is excluded from this role. + +Any roles or tasks beyond this should use the standard user. This is set at playbook level as `remote_user`. This in turn is set via a group_var called `my_remote_user` - because the user will be different depending on the environment ('vagrant' on the development box, 'admin' elsewhere). \ No newline at end of file diff --git a/playbook.yml b/playbooks/remote-admin-user.yml similarity index 100% rename from playbook.yml rename to playbooks/remote-admin-user.yml