ansible:ansible_playbook_example
This is an old revision of the document!
Table of Contents
Ansible playbooks example
xxxx
Install linux LAMP
rhel-lamp.yaml
--- - hosts: srv-web01 handlers: - name: restart httpd service: name: httpd state: restarted tasks: - name: 0. MàJ système dnf: name: "*" state: latest - name: 1. Installation Apache dnf: name: httpd state: latest - name: 2. Installation PHP dnf: name: php state: latest - name: 3. Installation extensions PHP dnf: name : - php-pdo - php-soap - php-gd state: latest - name: 4. Installation de MariaDB dnf: name: mariadb-server state: latest - name: 5. Démarrage Apache service: name: httpd state: started enabled: yes - name: 6. Démarrage MariaDB service: name: mariadb state: started enabled: yes - name: 7. Installation index copy: src: rhel-lamp.index.php dest: /var/www/html/index.php owner: apache group: apache mode: 0644 - name: 8. Ajout de la regle de parefeu ansible.posix.firewalld: zone: public service: "{{ item }}" permanent: yes state: enabled immediate: yes with_items: - http - https
Example with LPAR2RRD
my_project> group_vars > host_vars > roles > lpar2rrd > defaults main.yml --- lpar2rrd_version: "7.90" lpar2rrd_bin: /opt/lpar2rrd/bin/lpar2rrd lpar2rrd_user: lpar2rrd lpar2rrd_group: "{{ lpar2rrd_user }}" lpar2rrd_path: /opt/lpar2rrd lpar2rrd_src: https://master.dl.sourceforge.net/project/lpar2rrd/lpar2rrd-OSagent/7.90/lpar2rrd-agent-7.90-0.noarch.rpm > files > handlers main.yml --- - name: reload_daemon_and_restart_lpar2rrd-agent systemd: name: lpar2rrd state: restarted daemon_reload: yes enabled: yes > meta > tasks main.yml --- - name: check if lpar2rrd exists stat: path: "{{ lpar2rrd_bin }}" register: __check_lpar2rrd_exist - name: create lpar2rrd user user: name: "{{ lpar2rrd_user }}" append: true shell: /usr/sbin/nologin system: false create_home: true home: /home/lpar2rrd - name: create lpar2rrd dir file: path: "{{ lpar2rrd_path }}" state: directory owner: "{{ lpar2rrd_user }}" group: "{{ lpar2rrd_group }}" - name: download and untar lpar2rrd agent unarchive: src: "{{ lpar2rrd_src }}" dest: /tmp/ remote_src: yes validate_certs: false - name: move binary lpar2rrd agent copy: src: "/tmp/{{ }}" dest: "{{ lpar2rrd_path }}" owner: "{{ lpar2rrd_user }}" group: "{{ lpar2rrd_group }}" mode: 0755 remote_src: yes when: __check_lpar2rrd_exist.stat.exists == false - name: cleanup file: path: "/tmp/lpar2rrd*" state: absent - name: install template template: src: lpar2rrd-agent.service.j2 dest: /etc/systemd/system/lpar2rrd-agent.service owner: root group: root mode: 0755 notify: reload_daemon_and_restart_lpar2rrd-agent - meta: flush_handlers - name: service always start systemd: name: lpar2rrd state: started enabled: yes > templates lpar2rrd-agent.service.j2 [Unit] Description=lpar2rrd agent After=network-online.target [Service] User={{ lpar2rrd_user }} Group={{ lpar2rrd_group }} Type=simple ExecStart={{ lpar2rrd_bin }} [Install] WantedBy=multi-user.target> tests > vars 00_inventory.yml all: vars: ansible_python_interpreter: /usr/bin/python3.9 hosts: 10.10.10.1: 10.10.10.2: playbook.yml - name: install lpar2rrd agent hosts: all become: yes roles: - lpar2rrd===== SSH config =====
etc_ssh_sshd_config: /etc/ssh/sshd_config
- name: check if lpar2rrd exists
stat:
path: "{{ etc_ssh_sshd_config }}"
register: __check_sshd_config_exist__
- name: Set SSH KexAlgorithms
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
state: present
line: 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
- name: Set SSH Ciphers
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
state: present
line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
- name: Set SSH MACs
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
state: present
line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
- name: Set SSH loglevel to verbose
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
regexp: '^#LogLevel INFO'
line: 'LogLevel VERBOSE'
- name: Set log sftp level file access
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
regexp: '^Subsystem\s+sftp\s+/usr/lib/openssh/sftp-server'
line: 'Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'
- name: Disable SSH root login
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
regexp: '^#PermitRootLogin'
line: 'PermitRootLogin no'
- name: Disable SSH password authentication
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
regexp: '^#PasswordAuthentication yes'
line: 'PasswordAuthentication no'
- name: Set SSH UsePrivilegeSeparation
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
state: present
line: 'UsePrivilegeSeparation sandbox'
- name: Set SSH AuthenticationMethods
lineinfile:
path: "{{ etc_ssh_sshd_config }}"
state: present
line: 'AuthenticationMethods publickey'
# Here you should use your custom port!
- name: Setup alternate SSHd port
lineinfile:
dest: "{{ etc_ssh_sshd_config }}"
regexp: '^#Port'
line: 'Port 4242'
ansible/ansible_playbook_example.1731533680.txt.gz · Last modified: 2024/11/13 22:34 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
