At [Firewall Services](https://www.firewall-services.com), we use Ansible. And we use it **a lot**. Like, there's now nearly nothing we deploy manually, without it. As such we've written a lot of roles, to deploy and manage various applications. This include :
* Basic system configuration
* Authentication (eg, configure LDAP auth, or join an AD domain automatically)
* Plumber layers (like deploy a MySQL server, a PHP stack etc.)
* Authentication services (Samba4 in AD DC mode, Lemonldap::NG etc.)
Most of our roles and CentOS centric, and are made to be deployed on CentOS 7 servers. Basic roles (like basic system configuration, postfix etc.) also support Debian systems, but are less tested.
Most of the web application roles are made to run behind a reverse proxy. You can use for this the nginx (recommended) or the httpd_front role.
## how to use this
Here're the steps to make use of this. Note that this is not a complete ansible how-to, just a quick guide to use our roles. For example, it'll not explain how to make use of ansible-vault to protect sensitive informations.
* Create your SSH key. It's advised to set a passphrase to protect it
```
ssh-keygen -t rsa -b 4096 -f ssh/id_rsa
```
* Create the ansible user account on the hosts you want to manage. This can be done manually or can be automated with tools like kickstart (you can have a look at https://ks.fws.fr/el7.ks for example). The ansible user must have elevated privileges with sudo (so you have to ensure sudo is installed)
* Create your inventory file. For example, inventories/fws.ini
```
[fws]
db.fws.fr
proxyin.fws.fr
```
This will create a single group **fws** with two hosts in it.
* Create your main playbook. This is the file describing what to deploy on which host. You can store it at in the root dir, for example, fws.yml :
```
- name: Deploy common profiles
hosts: fws
roles:
- common
- backup
- name: Deploy databases servers
hosts: db.fws.fr
roles:
- mysql_server
- postgresql_server
- name: Deploy reverse proxy
hosts: proxyin.fws.fr
roles:
- nginx
- letsencrypt
- lemonldap_ng
```
It's pretty self-explanatory. First, roles **common** and **backup** will be deployed on every hosts in the fws group. Then, **mysql_server** and **postgresql_server** will be deployed on **db.fws.fr**. And roles **nginx**, **letsencrypt** and **lemonldap_ng** will be deployed on host **proxyin.fws.fr**
* Now, it's time to configure a few things. Configuration is done be assigning values to varibles, and can be done at several levels.
* group_vars/all/vars.yml : variables here will be inherited by every hosts
```
ansible_become: True
trusted_ip:
- 1.2.3.4
- 192.168.47.0/24
zabbix_ip:
- 10.11.12.13
system_admin_groups:
- 'admins'
system_admin_users:
- 'fws'
system_admin_email: servers@example.com
zabbix_agent_encryption: psk
zabbix_agent_servers: "{{ zabbix_ip }}"
zabbix_proxy_encryption: psk
zabbix_proxy_server: 'zabbix.example.com'
```
* group_vars/fws/vars.yml : variables here will be inherited by hosts in the **fws** group
Every role has default variables set in the defaults sub folder. You can have a look at it to see which variables are available and what default value they have.