Ansible Build

.github/workflows/test.yml matrix-badge

The Mint System collection of Ansible playbooks and roles.

Requirements

  • Setup uv
  • bash/zsh alias task='./task' with optional completion

Usage

Clone this repository.

git clone git@github.com:Mint-System/Ansible-Build.git

See task help or task for details about the project commands.

Setup

Navigate into the project folder.

cd Ansible-Build

Generate an Ansible vault id and password.

task generate-vault-password $VAULT_ID $PASSWORD

Create an Ansible configuration from the template.

cp ansible.cfg.template ansible.cfg

Install Ansible and Python dependencies.

task install

Create an inventory folder and configure a role.

Ansbile Documentation > Build Your Inventory

Roles

Have a look at the Ansible roles and check how to configure them.

RoleDescription
acme_shIssue & renew the free certificates.
alertmanagerDeploy Alertmanager container.
ansible_scriptsInstall Ansible scripts.
bigbluebuttonInstall BigBlueButton with https and greenlight.
bigbluebutton_exporterDeploy BigBlueButton exporter container.
birtDeploy BIRT container.
blackbox_exporterDeploy Blackbox exporter container.
bookstackDeploy BookStack container.
caddyDeploy Caddy container.
cadvisorDeploy cAdvisor Docker container.
cargoSetup Rust toolchain and cargo package manager.
certbotDeploy Let's Encrypt certificates.
cleanCleanup Ansible roles.
collabora_codeDeploy Collabora Code container.
commentoDeploy Commento container.
coturnDeploy Coturn cotainer.
cronSetup cron jobs.
crowdsecDeploy CrowdSec container.
crowdsec_firewall_bouncerDeploy CrowdSec Firewall Bouncer.
debugDebug Ansible variables.
dindDeploy Docker in Docker container.
dockerInstall Docker for Ubuntu and CentOS.
docker_composeDeploy Docker Compose project.
docker_hostsDocker hostname resolver.
docker_networkConfigure Docker network.
docker_swarmConfigure Docker Swarm.
docker_volumeConfigure Docker volume.
dozzleDeploy Dozzle container.
dribdatDeploy dribdat container.
elasticsearchDeploy Elasticsearch Docker cluster.
fail2banInstall and configure fail2ban.
fathomDeploy Fathom container.
fstabConfigure the fstab file.
gitCheckout Git repositories.
giteaDeploy Gitea container.
grafanaDeploy Grafana Docker container.
hostsAdd entries to hosts files.
htpasswdConfigure .htpasswd basic auth file.
iamConfigures users and groups.
innernetSetup WireGuard based internal network.
jenkinsDeploy Jenkins container.
k3sDeploy Kubernetes cluster with K3s.
keycloakDeploy Keycloak Docker container.
keycloak_clientConfigure Keycloak client.
kibanaDeploy Kibana Docker container.
kibanaDeploy Kibana Docker container.
localeSet system locale.
logstashDeploy Logstash Docker container.
lokiDeploy Loki container.
mailhogDeploy MailHog Docker container.
mailpitDeploy Mailpit Docker container.
maintenanceMaintain operating system and disk space.
mariadbDeploy MariaDB database container.
matomoDeploy Matomo container.
meilisearchDeploy Meilisearch container.
meilisyncDeploy Meilisync container.
metabaseDeploy Metabase Docker container.
metricbeatDeploy Metricbeat Docker container.
moodleDeploy Moodle container.
motdSet message of the day.
mysqlDeploy MySQL database container.
mysqld_exporterDeploy MySQL exporter container.
n8nDeploy N8N container.
n8n_exporterAdd nginx config for N8N exporter path.
nextcloudDeploy Nextcloud container.
nextcloud_appsInstall, update and remove Nextcloud apps.
nextcloud_exporterDeploy Nextcloud exporter container.
nginxDeploy Nginx proxy with Certbot.
nginx_wafDeploy Nginx with ModSecurity and Core Rule Set.
node_exporterDeploy Node exporter container and install custom metric script.
odooDeploy Odoo container.
odoo_appsInstall Odoo apps from file or url.
odoo_dataGenerate Odoo data modules.
odoo_enterpriseCheckout the Odoo Enterprise git repository.
odoo_exporterAdd nginx config for Odoo exporter path.
odoo_patchesApply custom Odoo patches.
odoo_reposSetup Odoo modules public or private GitHub repo.
odoo_scriptsInstall Odoo scripts.
ollamaSetup Ollama and deploy models.
onlyoffice_documentserverDeploy OnlyOffice Document Server container.
openldapDeploy OpenLDAP Docker container.
packagesSet env vars and install packages.
pgadminDeploy pgAdmin container.
php_fpmDeploy PHP-FPM container.
postfixDeploy Postfix relay host.
postgresDeploy PostgreSQL database container.
postgres_exporterDeploy PostgreSQL exporter container.
prometheusDeploy Prometheus Docker container.
promtailDeploy Promtail container.
pushgatewayDeploy Pushgateway container.
rabbitDeploy RabbitMQ container.
rcloneSync files with RClone.
redisDeploy Redis container.
remark42Deploy Remark42 container.
resolvManage DNS configuration.
resticConfigure Restic backup jobs.
restic_exporterAdd nginx config for Restic exporter path.
restic_serverDeploy Restic server container.
s3cmdInstall and configure s3cmd.
simple_mail_forwarderDeploy Simple Mail Forwarder container container.
supersetDeploy Apache Superset container.
systemdSetup systemd service.
timezoneDefine timezone.
ufwConfigure UFW rules.
updateInstall system and package updates.
vercelManage vercel domain and dns entries.
wordpressDeploy WordPress container.

Targets

All Ansible roles can be deployed to a Linux Server via SSH.

flowchart TD
	A[Host] -->|SSH| B[Server]

Some Ansible roles can be deployed to a Kubernetes Cluster.

Ansible Vault

If you encrypt secrets with multiple vault identities, you can specificy the vault list in the ansible.cfg like this:

[defaults]
vault_identity_list = mint_system@.vault_pass_mint_system, sozialinfo@.vault_pass_sozialinfo

Or as an environment variable:

export ANSIBLE_VAULT_IDENTITY_LIST="mint_system@.vault_pass_mint_system, sozialinfo@.vault_pass_sozialinfo"

Alternatively you can configure the --vault-id parameter of the Ansible playbook command:

task play --vault-id mint_system@.vault_pass_mint_system ...

To decrypt single strings run this command:

task encrypt-string sozialinfo "vault_rolename_varname: secret"

Deploy

Deploy the roles to the target hosts with the following commands.

List hosts in inventory.

task list-hosts inventories/setup

Load virtualenv.

source task source

Test connection.

ansible all -m ping -i inventories/odoo

Deploy multiple inventories.

task play -i inventories/setup -i inventories/odoo plays/odoo.yml

Deploy Odoo stack.

task play -i inventories/odoo plays/odoo.yml

Deploy role only.

task play -i inventories/odoo plays/odoo.yml -t postgres

Deploy without dependencies.

task play -i inventories/setup plays/setup.yml --skip-tags depends

Deploy role to specific host.

task play -i inventories/setup plays/setup.yml -t docker -l host.example.com

Deploy role to specific group with non-default user.

task play -i inventories/setup plays/setup.yml -t docker -l host.example.com -u username

Clean Odoo stack.

task play -i inventories/odoo plays/clean.yml.yml -t odoo,odoo_volume,odoo_data,postgres,postgres_volume

Clean role only.

task play -i inventories/setup plays/clean.yml.yml -t docker_network

Clean dry run.

task play -i inventories/odoo plays/odoo.yml -t odoo --check

Install odoo_scripts and odoo_apps locally.

task play -i inventories/setup plays/localhost.yml.yml --skip-tags depends

List all Odoo databses.

ansible all -i inventories/odoo -a "docker-postgres-list -c {{ postgres_hostname }}"

Kubernetes

Setup the following and the role's Kubernetes variables in your localhost inventory.

k8s_kubeconfig: /home/$USERNAME/.kube/config
k8s_namespace: default

Run the Kubernetes playbook for localhost.

task play -i inventories/k8s plays/k8s.yml.yml -l localhost

Development

This section is about developing the Ansible Build project.

Quality

Lint the project using Ansible lint.

task lint

Configuration

Whenever possible use env variables to configure the container.

Env Config

env:
  POSTGRES_USER: "{{ postgres_user }}"
  POSTGRES_PASSWORD: "{{ postgres_password }}"
  POSTGRES_DB: "{{ postgres_db }}"

Data

To persist data use Docker volumes.

Volume Mount

Mount the folder without subfolder.

volumes:
  - "{{ postgres_volume_name }}:/var/lib/postgresql/data"

For Ansible config files use file mounts.

Bind Mount

volumes:
  - "{{ nginx_data_dir }}/:/etc/nginx/conf.d/:ro"

Docs

Every role folder must contain a README.md file.

Mark fix-me-comments with # FIXME: <your text>.

Naming Conventions

Role names must be lower case and may contain an _.

Vars that are stored in vaults are prefixed with vault_.

Template for role vars:

# Url to Docker repsitory
rolename_image:
rolename_hostname:
rolename_port:
rolename_volume_name: "{{ rolename_hostname }}"
rolename_data_dir: "/usr/share/{{ rolename_hostname }}"
rolename_password: "{{ vault_rolename_password }}"

The reference roles are postgres and odoo.

Role and Tags

Roles can have multiple tags.

example one tag

To define a Postgres role, you would:

  • Create role postges
  • Assign the tag postgres
  • Create a task file postgres.yml

example multiple tags

To define a Nginx role with a config tag, you would:

  • Create role nginx
  • Assign the tags nginx and nginx_config
  • Create the task files nginx.yml and nginx_config.yml

In the main.yml you would include the tasks as followed:

- name: "Include {{ role_name }} config tasks"
  include_tasks: "{{ role_name }}-config.yml"
  when: nginx_data_dir is defined
  tags:
    - nginx
    - nginx_config

- name: "Include {{ role_name }} tasks"
  include_tasks: "{{ role_name }}.yml"
  when: nginx_image is defined
  tags:
    - nginx

Aliases

Whenever a role is applied to the same host multiple times, you can create multiple aliases for the same host. Append a selected suffix to make a distinction between the aliases:

  • main: Production environment.
  • int: Staging environment.
  • dev: Development and test environment.
  • upgrade: Upgrade environment.
  • dep: Deprecated environment.

Here is an example of an host with two aliases:

all:
  hosts:
    zeus_web:
      ansible_host: zeus.mint-system.com
    zeus_main:
      ansible_host: zeus.mint-system.com