I am using Ansible to configure my several web servers. I want to restrict all traffic coming to those servers except some hosts. Actually, i want that these servers will only be accessed by some hosts only.
First figure out how to configure such a firewall on your system without Ansible. Then use Ansible to apply that configuration to a host.
I use package iptables-persistent on Debian 9, and use Ansible templating to manage /etc/iptables/rules.v4
Related
Well, I have a client with an intranet infrastructure, that can't be accessed by the internet or VPN, so I need to access through TeamViewer.
This client gave me 10 VMs (Linux Centos 6) to work (can't create others or destroy it). So I need to prepare this infrastructure to run my CI/CD and deliver the software, then I need these services running before my software deploy:
Docker
Mongo DB
Postgres
Nginx
Jenkins
I'm thinking about two options to solve it:
TerraformCLI (remember I will need to access client through Teamviewer and run terraform apply)
Ansible (Here I can list the 10 machines and execute all together with 1 playbook).
I heard about Terraform is more to provision Servers (VM, EC2 ...), VPC, Subnet, LoadBalancers, but Ansible is more about configuring each machine, in a more granular way. If this is correct I think Ansible is the correct choice for me.
Any suggestions guys?
Yes.
Terraform provision your environment from scratch. It is a Infrastructure as Code tool.
Ansible configures your environment. It is a configuration management tool.
Often, people combine both of them. First provision the network stack, servers using Terraoform and then configure the applications inside the servers using Ansible.
You already have the VMs hence opting for configuration management tool(Chef, Ansible, Puppet, Salt Stack) better fits your use case.
We do not need any network model like Calico or weavenet, just host network is enough. But I couldn't find a way to disable network plugin. Kubespray always wants me to specify one.
How can a host network work with multiple servers? Use the default.
I am quite new to Ansible, and I wonder if someone save me some feeling my way in the darkness, and share what is the best way to do the following.
I have several cloud environments with windows (mostly) windows hosts that I want to manage with Ansible. The thing is, that my Ansible server is outside these environments and I can't WinRM directly to the various Windows hosts (security, you know...) So what I would like to do is to add a Linux host to each cloud environment and use these hosts as kind of a proxy: I will access them from the Ansible server and use the psexec module to access the Windows server.
My problem though is that if I do that then my Ansible inventory will include only the Linux "Proxies" and I will not be able to categorize the Windows servers in to policy groups.
So again, can anyone share how to properly handle this? I guess I just need some way to create an inventory-like structure of of the windows severs and associate it with the appropriate "Proxy" hosts.
Many thanks,
Oren
I wanted to know if we have Windows jump server instead or bastion server will Ansible work? if yes how can we achieve this
This is possible, via Nginx.
Send the WinRM traffic to Nginx. Configure Nginx in a way that each target host has an their own url.
example.com/tn1
example.com/tn2
Let each node point to your my.fqdn.com/wsman.
Look at this pull request.
So i would like to run a playbook via ansible on a host get the ip of that host and then add it to the haproxy.cfg.
I have managed to get the ip from the the host by using ansible_default_ipv4.address": "192.168.159.44 but i dont think this is the correct way to do this.
I want to basically add this line
server dnsnameofserver IP:80 check fall 3 rise 2 cookie uniquecookie
Where the IP and DNS name is collected from the server.
So the workflow im thinking is running a playbook on a webserver and that collects the info and then it sends that information to the haproxy server.
Is this even possible?
Getting the IP from ansible facts is proper way.You can create two host groups one webserver and another haproxy server. You can then use delegate_to haproxy server to run the haproxy command.