Installing Ansible and playbook

Introduction

Ansible runs on your local computer and talks with the remote server over SSH. In an ideal situation, you never need to connect to the server manually over SSH, as Ansible does all the tasks for you.

Ansible is driven by a playbook which is effectively a linear script of commands to be run on the server. Playbooks are very human readable as is, even if you wouldn’t use Ansible yourself. Playbooks are usually distributed as cloneable Git repositories.

Installation

Websauna’s playbook websauna.ansible is provided in a separate Git repository. See websauna.ansible Git repository.

Clone the repository from GitHub to get started with your Playbook:

git clone [email protected]:websauna/websauna.ansible.git

Create a virtual environment for Ansible. This must be a separate from the virtual environment of your application due to Python version differences:

cd websauna.ansible
virtualenv -p python2.7 venv
source venv/bin/activate

And install Ansible using pip. On Linux:

pip install "ansible<2.2"  # Stouts.nginx is currently incompatible with latest Ansible

On macOS (recent macOS versions do not ship with OpenSSL, so instead of above pip command do):

brew install openssl --force
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc # zsh
env LDFLAGS="-L/usr/local/opt/openssl/lib" CPPFLAGS="-I/usr/local/opt/openssl/include" CFLAGS="-I/usr/local/opt/openssl/include" pip install "ansible<2.2"

Note

Ansible runs on Python 2.x only. Ansible is a Red Hat product. Red Hat is committed to support Python 2.4 for their enterprise users. As long as Python 2.4 is supported, it is impossible to upgrade Ansible to support Python 3.x due to syntax incompatibilities.

Install packaged roles we are going to use inside a cloned playbook. They will be dropped in galaxy folder inside the playbook folder:

ansible-galaxy install -r requirements.yml

Creating Ansible vault

Create an Ansible vault with a password. The vault is a secrets file where Ansible stores non-public configuration variables. To avoid retyping the password every time, the password is saved in plaintext in your home folder or any other safe location. The default password storing location is in ~/websauna-ansible-vault.txt as configured in ansible.cfg:

# Read a password from keyboard and store it in a file.
# This file is configured in ansible.cfg
read -s pass | echo $pass > ~/websauna-ansible-vault.txt

# Create a secrets.yml vault for your project
ansible-vault create secrets.yml

This will open your text editor and let you edit the vault in an unencrypted format.

  • You do not need to add anything in this file for now. It will be filled in later in the instructions.

  • Save file

  • Quit your text editor to get back to the command line

Using alternative text editor with Ansible vault

You can specify any command line compatible editor for vault editing. For example on OSX one could do:

# Use default OSX text edit as vault editor
export EDITOR="/usr/bin/open -n -W -a /Applications/TextEdit.app"

# Create a secrets.yml vault for your project using TextEdit
ansible-vault create secrets.yml

More information using UNIX EDITOR environment variable (Ubuntu).

More information using UNIX EDITOR environment variable (OSX).