Manage OpenBSD hosts using ansible

First steps with ansible

All Ansible commands follow the pattern:

ansible <server_or_group> -m module_name -a arguments

Run ansible test on OpenBSD host (requires python2.7 installed):

ansible all -u sysadmin -i www.echoctf.dev, -m ping -e 'ansible_python_interpreter=/usr/local/bin/python2.7'

Ansible host inventory

Create inventory location:

mkdir ~/work/ansible
touch ~/work/ansible/hosts
touch ~/.ansible.cfg

Open ~/.ansible.cfg file to specify the inventory location:

[defaults]
inventory = ~/work/ansible/hosts

Create entries in ~.work/ansible/hosts file:

kerberus.wks.echothrust.dev
mail.echothrust.dev

[webservers]
www.echoctf.dev
support.echothrust.dev
www.echothrust.dev

Creating playbooks

A playbook is a YAML file, and typically follows this structure:

---
- hosts: [target hosts]
  remote_user: [yourname]
  tasks:
    - [task 1]
    - [task 2]

For example, the following playbook will create a file on all servers in the webservers group

---
- hosts: [webservers]
  remote_user: sysadmin
  tasks:
    - name: Create /tmp/somefile.test
      command: touch /tmp/somefile.test
      become: True
      become_method: doas

Relevant post about doas, ansible and env vars

Running playbooks

Assuming you are in the same directory as a playbook file, run:

ansible-playbook myplaybook.yml

If you want to see what hosts this playbook will affect without having to open up the YAML file, you can run:

ansible-playbook myplaybook.yml --list-hosts

If you want to see what tasks will run on a specific host:

ansible-playbook myplaybook.yml -i www.echoctf.dev, --list-tasks

Use the “batteries included”

Ansible ships with a large collection of modules that you can run as tasks or via ad-hoc commands. To see a listing of all available modules, run:

ansible-doc -l

The list is quite large… some interesting modules follow.

Commands:

• command - Executes a command on a remote node
• script - Runs a local script on a remote node after transferring it
• shell - Execute commands in nodes
• raw - Executes a low-down and dirty SSH command
• fetch - Fetches a file from remote nodes

Files:

• copy - Copies files to remote locations
• template - Templates a file out to a remote server
• authorized_key - Add/remove SSH authorized keys
• known_hosts - Add or remove a host from the known_hosts file
• lineinfile - Ensure a particular line is in a file. Replace existing line using a back-referenced regex
• blockinfile - Insert/update/remove a text block surrounded by marker lines
• replace - Replace all instances of a particular string in a file using a back-referenced regular expression
• ini_file - Tweak settings in INI files
• htpasswd - Manage user files for basic authentication
• stat - Retrieve file or file system status
• unarchive - Unpacks an archive after (optionally) copying it from the local machine

Package management:

• git - Deploy software (or files) from git checkouts
• openbsd_pkg - Manage packages on OpenBSD
• yum - Manages packages with the yum package manager
• apt - Manages apt-packages

Operating system:

• service - Manage services
• system - Manage services
• user - Manage user accounts
• cron - Manage cron.d and crontab entries.
• solaris_zone - Manage Solaris zones
• sysctl - Manage entries in sysctl.conf.

Various:

• mysql_db - Add or remove MySQL databases from a remote host
• mysql_user - Adds or removes a user from a MySQL database
• nagios - Perform common tasks in Nagios related to downtime and notifications
• redis - Various redis commands, slave and flush
• letsencrypt - Create SSL certificates with Let’s Encrypt
• cloudflare_dns - manage Cloudflare DNS records
• digital_ocean - Create/delete a droplet/SSH_key in DigitalOcean
• wakeonlan - Send a magic Wake-on-LAN (WoL) broadcast packet