Back in 2017 I maintained about 10 physical (or VPS) FreeBSD hosts, each with roughly 5 jails. It was fun when I only had a handful to manage. Now, with every change, every security update, I have to touch each system. With 50 instances, it's a bit time consuming. That's where Ansible comes in!
Using Dan Langille's guide to get started, here's how I maintain FreeBSD from a Fedora workstation. This is part 1, where I explain how to setup host inventories and variables.
On the Fedora workstation, install the ansbile binaries:
sudo dnf install ansible
I use my standard user account to execute ansible playbooks so creating a seperate ansible user\SSH keypair on the desktop is not necessary.
On Fedora 26-27, the ansible configs are at /etc/ansible/
.
- Create the ansible directory structure:
cd /etc/ansbile/
mkdir group_vars host_vars roles
- Inside the roles directory, create the role directory structure:
cd roles
mkdir common
cd common
mkdir files handlers library meta tasks templates vars
- Starting with the root directory, create the main host inventory file:
vim /etc/ansible/hosts
# - Comments begin with the '#' character # - Blank lines are ignored # - Groups of hosts are delimited by [header] elements # - You can enter hostnames or ip addresses # - A hostname/ip can be a member of multiple groups [freebsd:children] freebsd-servers freebsd-jails [freebsd-servers] [1:5].vps.haraschak.net [freebsd-jails:children] database-servers dns-servers web-servers mail-servers [database-servers] db[1:3].haraschak.net [dns-servers] ns[1:4].haraschak.net [web-servers] web[1:7].haraschak.net [mail-servers] mail[1:2].haraschak.net
- To ensure Ansible uses the right version of python and has the necessary paths, create a group variable file (
vim group_vars/freebsd
) for FreeBSD hosts. The filename must match the group from the inventory file above:--- # freebsd ansible_user: ansible ansible_become: yes ansible_python_interpreter: /usr/local/bin/python2.7 aliases_file: /etc/mail/aliases mail_path: /etc/mail/ bacula_fd_path: /usr/local/etc/bacula/bacula-fd.conf openNTPd_path: /usr/local/etc/ntpd.conf
- For each host in your inventory, create a file containing its respective variables (
host_vars/<hostname>
). The name must match the inventory hostname:--- ip: 172.16.1.1 periodic: hour: 05 minute: 00 ospf_int: - { name: 'tap2', desc: 'TAP to VPS2', type: 'point-to-point', auth_key: "{{ ospf_key }}", cost: '11' } - { name: 'tap3', desc: 'TAP to VPS3', type: 'point-to-point', auth_key: "{{ ospf_key }}" } ospf_net: - area: 0.0.0.0 net: - 10.8.1.0/24 - 172.16.1.0/24 - area: 0.0.0.3 net: - 10.8.1.0/24 ospf_acl: - name: companyA area: 0.0.0.3 permit: - 10.8.0.0/24 - 192.168.1.0/28 - 192.168.1.48/30 - 192.168.2.64/26 - 192.168.2.128/26 - 192.168.3.0/28 deny: - any
Future post, Ansible tasks.