Currently, I maintain about 10 physical (or VPS) FreeBSD hosts, each with roughly 4-10 jails. It was fun when I only had a handful to manage. Now, with every change, every security update, I have to touch each system. With +50 instances, it's a bit time consuming. That's where Ansible comes in.

Using Dan Langille's guide to get started, here's how I maintain FreeBSD from a Fedora workstation. This is part 1, where I explain how to setup host inventories and variables.

On the Fedora workstation, install the ansbile binaries:

sudo dnf install ansible

I use my standard user account to execute ansible playbooks so creating a seperate ansible user\SSH keypair on the desktop is not necessary.

On Fedora 26-27, the ansible configs are at /etc/ansible/.

  1. Create the ansible directory structure:
    cd /etc/ansbile/
    mkdir group_vars host_vars roles
  2. Inside the roles directory, create the role directory structure:
    cd roles
    mkdir common
    cd common
    mkdir files handlers library meta tasks templates vars
  3. Starting with the root directory, create the main host inventory file:
    vim /etc/ansible/hosts
    # - Comments begin with the '#' character
    # - Blank lines are ignored
    # - Groups of hosts are delimited by [header] elements
    # - You can enter hostnames or ip addresses
    # - A hostname/ip can be a member of multiple groups
    
    [freebsd:children]
    freebsd-servers
    freebsd-jails
    
    [freebsd-servers]
    [1:5].vps.haraschak.net
    
    [freebsd-jails:children]
    database-servers
    dns-servers
    web-servers
    mail-servers
    
    [database-servers]
    db[1:3].haraschak.net
    
    [dns-servers]
    ns[1:4].haraschak.net
    
    [web-servers]
    web[1:7].haraschak.net
    
    [mail-servers]
    mail[1:2].haraschak.net
    
  4. To ensure Ansible uses the right version of python and has the necessary paths, create a group variable file (vim group_vars/freebsd) for FreeBSD hosts. The filename must match the group from the inventory file above:
    ---
    # freebsd
    ansible_user: ansible
    ansible_become: yes
    ansible_python_interpreter: /usr/local/bin/python2.7
    aliases_file: /etc/mail/aliases
    mail_path: /etc/mail/
    bacula_fd_path: /usr/local/etc/bacula/bacula-fd.conf
    openNTPd_path: /usr/local/etc/ntpd.conf
    
  5. For each host in your inventory, create a file containing its respective variables (host_vars/<hostname>). The name must match the inventory hostname:
    ---
    ip: 172.16.1.1
    periodic:
      hour: 05
      minute: 00
    
    ospf_int:
      - { name: 'tap2', desc: 'TAP to VPS2', type: 'point-to-point', auth_key: "{{ ospf_key }}", cost: '11' }
      - { name: 'tap3', desc: 'TAP to VPS3', type: 'point-to-point', auth_key: "{{ ospf_key }}" }
      
    ospf_net:
      - area: 0.0.0.0
        net:
          - 10.8.1.0/24
          - 172.16.1.0/24
      - area: 0.0.0.3
        net: 
          - 10.8.1.0/24
    
    ospf_acl:
      - name: companyA
        area: 0.0.0.3
        permit:
          - 10.8.0.0/24
          - 192.168.1.0/28
          - 192.168.1.48/30
          - 192.168.2.64/26
          - 192.168.2.128/26
          - 192.168.3.0/28
        deny:
          - any
    

Future post, Ansible tasks.