I have been using Ansible for a long time now. I will try to explain why and how I use it.
Training is an indispensable part for personal or profesional experiences.
For different reasons, it is not always easy to give time to it.
When I write an Ansible role, I try to make it complete and idempotent.
This forces me to have a full knowledge on how a tool operates.
To avoid manual actions, I want to be able to manage my whole infrastructure with Ansible:
- tools and services
- links and flows between the different elements
I want to add some security layers (to the best I can):
- there will be users for services and users for data
- unix rights will be strict (if groups are not shared or if there is no privileges escalation: no visilibity on other users data)
- resource management (using cgroups and systemd or the limits.conf file from OpenBSD)
- SSL for all communications
To find potential errors, I deploy all my roles in different environments:
- a shared host
- in the cloud (AWS for the moment)
Of course, I don’t shrug immutability off. It’s a also key part of a sane infrastructure but it requires a fully-working one (from packaging to alerting).
I therefore write my roles to answer those needs and they are available here: https://git.t18s.fr/.
The playbooks I used to deploy everything on my infrastructure are here: https://git.t18s.fr/ansible-playbooks/.
All roles and playbooks answer my own needs.
I try to make them abstract but it is impossible to make them work in all use-cases.
It is thus possible that they won’t work as you wish: be prepared.
I hope however they can be used as a basis to your own developments.
The roles and playbooks I’ve made allow me to deploy:
- a basic Debian system
- content servers (pfinger, pgopher, web)
- a secrets manager (Bitwarden)
- an infrastructure of secrets management (Consul and Vault)
- git repositories (cgit)
- bitcoin-core services (btc, ltc, mnc)
From my initial plans, I still need to:
- upgrade to Ansible 2.8
- test Mitogen
- fix/update/correct the Ansible documentations
- add Ansible tests with Molecule
- rework the monitorigin roles (for collectd, InfluxDB, Prometheus, Grafana)
- add monitoring tasks to the different elements of the infrastructure
- find a better handling method for mails in crontab
- add a Lightning Network process for the bitcoin and litecoin network
- make all roles OpenBSD-compatible
- rework the handlers (use listen everywhere)
- add more services (like a search-egnine)