-
Edit the Hosts File
First, we have to edit thehostsfile to add all of the servers you want to control. -
Organize Inventory and Playbooks
I created aninventoryfolder where I placed thehostsfile and another folder namedplaybookswhere all my playbooks are stored. -
Prepare for Key Authentication
If you are like me, I didn’t have key authentication set up on any of the machines I wanted to control, so the first task I wanted to achieve using Ansible was this.
However, it’s not as simple as it sounds. First, you need to ensure you can SSH into each machine using your password and the root user. This is the username I used in myhostsfile initially.
Eventually, during this process, we will:- Create the
serveradminuser on all machines. - Set up key authentication for that user.
- Update our
hostsfile with the new user.
- Create the
-
Test Connectivity
Test if we can connect to all the machines using the Ansiblepingcommand:ansible all -m ping -i hosts --ask-pass
- Use the
--ask-passoption since we don’t have key authentication set up yet. - If everything goes well, you should see a list of your hosts with the ping results. Even if it fails, you can troubleshoot using the logs.
- Use the
-
Create a Secrets File
Create asecrets.ymlfile to store the desired password for theserveradminuser:ansible-vault create secrets.yml
Inside the file, include:
serveradmin_password: "{{ 'desired_password' | password_hash('sha512') }}"
Save this file in the
playbooksfolder. -
Create a Playbook to Add the
serveradminUser
Once everything is ready, create your first playbook to add theserveradminuser.- If you want to exclude a specific host (e.g.,
pve-homelab), include this condition:when: inventory_hostname != "pve-homelab"
- Run the playbook using:
ansible-playbook -i ./inventory/hosts ./playbooks/<playbook_name>.yml --ask-pass
- If you want to exclude a specific host (e.g.,
-
Change the User’s Shell
Theserveradminuser may use a shell that doesn’t have access to the.sshdirectory.- To fix this, create a
change-shell.ymlplaybook to update the shell. - Run the playbook using the same command as above, replacing the playbook name:
ansible-playbook -i ./inventory/hosts ./playbooks/change-shell.yml --ask-pass
- To fix this, create a
-
Set Up SSH Keys for the
serveradminUser
Use thesetup-ssh-serveradmin.ymlplaybook to copy the SSH key to all hosts.
Once done:- Update the
hostsfile to use theserveradminuser for all hosts. - Test connectivity again:
This time, omit the
ansible all -m ping -i hosts
--ask-passoption. It should work without errors.
- Update the
-
(Optional) Disable Password Authentication
For added security, disable password authentication for SSH on all hosts using thepass-auth-disable.ymlplaybook.
If you want to be able to directly send commands to Ansible to a new machine that you added in the hosts file, you need to:
-
Go to the WSL machine and run:
cat ~/.ssh/id_rsa.pub -
Copy the output.
-
On the machine that you want to control:
-
Change directory to
~/.ssh -
Open the
authorized_keysfile with:nano authorized_keys
-
Paste the contents of your
id_rsa.pub
-
-
After that, you should be able to run Ansible commands to the machine, granted that you configured the username in the hosts file.
-
Limit groups
-
If you want to run a playbook only to an specific group of hosts run:
ansible-playbook -i hosts playbook.yml --limit group
-
-
Exclude hosts
-
If you want to run a playbook but want to exclude a single (*or multiple) host run:
ansible-playbook -i hosts playbook.yml --limit '!host' -
*If you want to exclude multiple hosts just add it spaced by comas following the same '!' syntax inside the quotes
-