Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Daniel Berteaud 65f4b19317 Update to 2022-05-04 17:00 2 months ago
library Update to 2021-01-05 21:00 1 year ago
playbooks Update to 2021-10-01 15:00 9 months ago
roles Update to 2022-05-04 17:00 2 months ago
LICENSE Initial commit 2 years ago Update to 2021-08-26 10:00 10 months ago
ansible.cfg Update to 2021-03-08 16:00 1 year ago

Ansible roles

At Firewall Services, we use Ansible. And we use it a lot. Like, there's now nearly nothing we deploy manually, without it. As such we've written a lot of roles, to deploy and manage various applications. This include :

  • Basic system configuration
  • Authentication (eg, configure LDAP auth, or join an AD domain automatically)
  • Plumber layers (like deploy a MySQL server, a PHP stack etc.)
  • Authentication services (Samba4 in AD DC mode, Lemonldap::NG etc.)
  • Collaborative apps (like Zimbra, Matrix, Etherpad, Seafile, OnlyOffice, Jitsi etc.)
  • Monitoring tools (deploy Zabbix agent, proxy and server, Fusion Inventory agent, Graylog server)
  • Web applications (GLPI, Ampache, Kanboard, Wordpress, Dolibarr, Matomo, Framadate, Dokuwiki etc.)
  • Dev tools (Deploy a Gitea server)
  • Security tools (OpenXPKI, Bitwareden_RS, manage SSH keys etc.)
  • A lot more :-)

Most of our roles are CentOS centric, and are made to be deployed on CentOS 7 servers. Basic roles (like basic system configuration, postfix etc.) also support Debian systems, but are less tested.

Our roles are often dependent on other roles. For example, if you deploy glpi, it'll first pull all the required web and PHP stack.

Most of the web application roles are made to run behind a reverse proxy. You can use for this the nginx (recommended) or the httpd_front role.

how to use this

Here're the steps to make use of this. Note that this is not a complete ansible how-to, just a quick guide to use our roles. For example, it'll not explain how to make use of ansible-vault to protect sensitive informations.

  • Clone the repo
git clone
cd ansible-roles
  • Create a few directories
mkdir {inventories,host_vars,group_vars,ssh,config}
  • Create your SSH key. It's advised to set a passphrase to protect it
ssh-keygen -t rsa -b 4096 -f ssh/id_rsa
  • Create the ansible user account on the hosts you want to manage. This can be done manually or can be automated with tools like kickstart (you can have a look at for example). The ansible user must have elevated privileges with sudo (so you have to ensure sudo is installed)
useradd -m ansible
mkdir ~ansible/.ssh
cat <<_EOF > ~ansible/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw==
chown -R ansible:ansible ~ansible/.ssh/
chmod 700 ~ansible/.ssh/
chmod 600 ~ansible/.ssh/authorized_keys
cat <<_EOF > /etc/sudoers.d/ansible
Defaults:ansible !requiretty
chmod 600 /etc/sudoers.d/ansible
  • Create your inventory file. For example, inventories/fws.ini

This will create a single group fws with two hosts in it.

  • Create your main playbook. This is the file describing what to deploy on which host. You can store it at in the root dir, for example, fws.yml :
- name: Deploy common profiles
  hosts: fws
    - common
    - backup

- name: Deploy databases servers
    - mysql_server
    - postgresql_server

- name: Deploy reverse proxy
    - nginx
    - letsencrypt
    - lemonldap_ng

It's pretty self-explanatory. First, roles common and backup will be deployed on every hosts in the fws group. Then, mysql_server and postgresql_server will be deployed on And roles nginx, letsencrypt and lemonldap_ng will be deployed on host

  • Now, it's time to configure a few things. Configuration is done be assigning values to varibles, and can be done at several levels.
    • group_vars/all/vars.yml : variables here will be inherited by every hosts
ansible_become: True

  - 'admins'
  - 'fws'

zabbix_agent_encryption: psk
zabbix_agent_servers: "{{ zabbix_ip }}"
zabbix_proxy_encryption: psk
zabbix_proxy_server: ''
* group_vars/fws/vars.yml : variables here will be inherited by hosts in the **fws** group
sshd_src_ip: "{{ trusted_ip }}"
postfix_relay_host: '[]:587'
postfix_relay_user: smtp
postfix_relay_pass: "S3cretP@ssw0rd"

  - name: ansible
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+dywY88WXY+VJI1rkIU3NlOAw3GKjEd6iqiOboDl8Ld4qqc+NpqDFPeidYbk5xjKv3l/Y804tdwqO1UYC+psr983rs1Kq91jI/5xSjSQFM51W3HCpZMTzSIt4Swy+m+eqUIrInxMmw72HF2CL+PePHgmusMUBYPdBfqHIxEHEbvPuO67hLAhqH1dUDBp+0oiRSM/J/DX7K+I+jNO43/UtcvnrBjNjzAiiJEG3WRAcBAUpccOu3JHcRN5CLRB26yfLXpFRzUNCnajmdZF7qc0G5gJuy8KpUZ49VTmZmJ0Uzx1rZLaytSjHpf4e5X6F8iTQ1QmORxvCdfdsqoeod7jK384NXq+UD24Y/tEgq/eT7pl3yLCpQo4qKd/aCEBqc2bnLggVRr+WX94ojMdK35qYbdXtLsN5y6L20yde8tGtWY+nmbJzLnqVJ4TKxXKMl7q9Sdj1t7BrqQQIK3H9kP7SZRhWNP6tvNKBgKFgc/k01ldw==
  - name: dani
    allow_forwarding: True
      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwnPxF7vmJA8Jr7I2q6BNRxQIcnlFaA3O58x8532qXIox8fUdYJo0KkjpEl6pBSWGlF4ObTB04/Nks5rhv9Ew+EHO5GvavzVp5L3u8T+PP+idlLlwIERL2R632TBWVbxqvhtc813ozpaMRI7nCabgiIp8rFf4hqYJIn/RMpRdPSQaHrPHQpFEW9uHPbFYZ9+

# Default database server
mysql_admin_pass: "r00tP@ss"
pg_admin_pass: "{{ mysql_admin_pass }}"

letsencrypt_challenge: dns
letsencrypt_dns_provider: gandi
letsencrypt_dns_provider_options: '--api-protocol=rest'
letsencrypt_dns_auth_token: "G7Bm9RckZdgI"
* host_vars/ : variables here will be inherited only by the host ****
nginx_auto_letsencrypt_cert: True

# Default vhost settings
  auth: llng
  csp: >-
    default-src 'self' 'unsafe-inline' blob:;
    style-src-elem 'self' 'unsafe-inline' data:;
    img-src 'self' data: blob:;
    script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:;
    font-src 'self' data:
    cache: True


  - name:
    allowed_methods: [GET,HEAD,POST,PUT,DELETE]
    src_ip: "{{ trusted_ip }}"
    auth: False

  - name:
    allowed_methods: [GET,HEAD,POST,PUT,DELETE]

How to check available variables

Every role has default variables set in the defaults sub folder. You can have a look at it to see which variables are available and what default value they have.


You can contact us at tech AT firewall-services DOT com if needed