Table of Contents
Ansible
Setup on Windows Machine with basic Autentication
run this powershell on windows machine with administrator privileges:
$H=hostname
set-service -name WinRM -StartupType Automatic
Start-Service -Name WinRM
$T=New-SelfSignedCertificate -DnsName $H -CertStoreLocation Cert:\LocalMachine\My |select Thumbprint
$T=$T.Thumbprint
$V="winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=""$H""; CertificateThumbprint=""$T""}'"
$V
invoke-expression $V
winrm e winrm/config/listener
$port=5986
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$port
winrm configSDDL default
on the server:
/etc/ansible/hosts
add a host in hostfile to get it managed
filename: /etc/ansible/host
[group] 192.168.1.214 ansible_user=pi
test if it works:
ansible group -m ping 192.168.1.214
192.168.1.214 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
hostfile in yaml config - my preferred:
win:
hosts:
192.168.1.3:
ansible_connection: winrm
#ansible_winrm_cert_pem: /root/cert.pem
#ansible_winrm_cert_key_pem: /root/cert_key.pem
ansible_winrm_transport: ntlm
ansible_user: user
ansible_password: password
ansible_winrm_server_cert_validation: ignore
test for windows host
root@u-studio:~# ansible 192.168.1.3 -m win_ping
192.168.1.3 | SUCCESS => {
"changed": false,
"ping": "pong"
}
playbooks
example: myfirstWinPlaybook.yaml
- name: Network Getting Started First Playbook
connection: ansible.netcommon.network_cli
gather_facts: false
hosts: all
tasks:
- name: Copy File or Dir
win_copy:
src: C:\temp\
dest: C:\ansible_temp\
remote_src: yes
Secret Vault
create a secret:
ansible-vault create secret (filename secret)
after inserting the passphrase used to protect the file, we can include the password command
ansible_sudo_pass: password123
using a secret inside a playbook:
hosts: linux
vars_files:
- secret
tasks:
- name: Upgrade all packages, excluding kernel & foo related packages
yum:
name: '*'
state: latest
exclude: kernel*,foo*
become: yes
ansible-playbook –ask-vault-pass upgrade_centos.yml
to get access to vault file without pompting for the pasword: create a file containig the password and the set the following variable with the file's path:
ANSIBLE_VAULT_PASSWORD_FILE=/root/.vault_pass.txt
then issuing the command
ansible-vault view /home/davide/secret
it will show the unencrypted file content on screen.
and call the playbook with this command:
add user:
- name: Create a login user
user:
name: fideloper
password: '$6$F4NWXRFtSdCi8$DsB5vvMJYusQhSbvGXrYDXL6Xj37MUuqFCd4dGXdKd6NyxT3lpdELN07/Kpo7EjjWnm9zusFg/LLFv6oc.ynu/'
groups: docker, sudo # Empty by default.
state: present
shell: /bin/bash # Defaults to /bin/bash
system: no # Defaults to no
createhome: yes # Defaults to yes
home: /home/fideloper # Defaults to /home/<username>
dove passwd è stata creata attraverso la funzione mkpasswd
mkpasswd --method=sha-512
install firefox:
- hosts: win
tasks:
- name: win_package install firefox
win_package:
path: \\192.168.1.36\1T\Downloads\Firefox86.0.1.msi
product_id: 'Mozilla Firefox'
state: present