apt update
apt install ansible
apt install software-properties-commonSetup passwordless authentication with the servers you want to manage
This is useful if you want to automate processes via ssh without intervening by having to input the password to the remote server.
sshcopy-id user@ip_addressSetup passwordless sudo commands
In the server you want to manage with ansible, you’ll have to allow the sudo user to execute commands without a password. Since in this example we want to automate the updates-upgrades of the system, each time ansible sends the order to do an apt update (or other command with superuser privileges) the sudo password will be asked demanding a human interaction and ansible will not be able to successfully send the order to the remote server. There are 2 ways to do this. One is by typing visudo in debian to ope the configuration file /etc/sudoers and the other ways is by creating a new file inside /etc/sudoers.d/[name of your sudo user]. Once inside that file we need to add the following line:
# Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
admin ALL=(ALL) NOPASSWD: ALLIf you want to be less permissive and only allow certain commands to be executed without a password these are the ones used in the playbooks in this example:
# Allow admin user to run specific scripts and commands with superuser privileges
# without needing a password.
Cmnd_Alias UPDATE_PKGS = /usr/bin/apt update, \
/usr/bin/apt upgrade, \
/usr/bin/apt dist-upgrade, \
/usr/bin/apt autoremove, \
/usr/bin/apt autoclean, \
admin ALL=(ALL) NOPASSWD: UPDATE_PKGS Define where your ansible files are going to be placed
Given that this example will be tested in proxmox, I will locate them in /etc/ansible if is not created by defect. Furthermore, having the ansible configuration directtory in the main sever will ensure comms with all vms running inside unless the server is shut down.
Create an inventory file that includes your Proxmox VMs (or other servers you want to manage). For example, /etc/ansible/hosts:
Make sure your vms have a static ip!
[proxmox_vms]
vm1 ansible_host=192.168.1.101 ansible_ssh_user=admin
vm2 ansible_host=192.168.1.102 ansible_ssh_user=adminTest your connectivity with the hosts:
ansible all -m ping1. Daily Tasks Playbook: daily_tasks.yml
---
- name: Daily Maintenance Tasks
hosts: webservers
become: yes
tasks:
- name: Update the apt package cache
apt:
update_cache: yes
- name: Clean up unused packages
apt:
autoremove: yes
- name: Clear out outdated package files
apt:
autoclean: yes
2. Monthly Tasks Playbook: monthly_tasks.yml
---
- name: Monthly Maintenance Tasks
hosts: webservers
become: yes
tasks:
- name: Upgrade all installed packages (standard)
apt:
upgrade: safe # Upgrades packages without removing any
- name: Full upgrade of all installed packages (including system upgrades)
apt:
upgrade: dist # Allows removal of obsolete packages and installation of new dependencies
3. Emergency Security Updates Playbook: security_updates.yml
---
- name: Urgent Security Upgrades
hosts: webservers
become: yes
tasks:
- name: Update the apt package cache
apt:
update_cache: yes
- name: Upgrade only security updates
apt:
upgrade: dist # Upgrades security updates only
Create a simple bash script to manage the urgent security upgrades and make it executable:
nano /etc/ansible/security_updates.sh#!/bin/bash
# Check for security updates
SECURITY_UPDATES=$(apt list --upgradable 2>/dev/null | grep -i security)
if [ -n "$SECURITY_UPDATES" ]; then
echo "Security updates available. Running the Ansible playbook."
ansible-playbook -i /etc/ansible/hosts /etc/ansible/security_upgrades.yml
else
echo "No security updates available."
fichmod +x /etc/ansible/security_updates.shCron Jobs for Execution
Now, here are the cron jobs to schedule the execution of these playbooks:
- Daily Maintenance Tasks: Run every day at 2 AM.
0 2 * * * ansible-playbook -i /etc/ansible/hosts.ini /etc/ansible/daily_tasks.yml >> /var/log/ansible_daily.log 2>&12. Monthly Maintenance Tasks: Run on the first Saturday of every month at 2 AM.
0 2 * * 6 [ "$(date +\%d)" -le 7 ] && ansible-playbook -i /etc/ansible/hosts.ini /etc/ansible/monthly_tasks.yml >> /var/log/ansible_monthly.log 2>&13. Emergency Security Updates: Run daily at 3 AM (or adjust as needed) using a script that checks for security updates.
0 3 * * * /etc/ansible/security_updates.sh >> /var/log/ansible_security.log 2>&1 # Ensure the correct script nameThe end