Roles & Collections
General Organization
We recommend to generally keep a strict separation between roles and collections on the one hand and playbook, inventory and host vars on the other hand. This makes it easier to reuse roles at a later time. Another advantage of this strict separation is that roles and collections can later on be published as open source without risking the exposure of sensitive customer data.
We also recommend to put each role or collection into its own Git repository. Again, this makes reuse easier.
We generally recommend to prefer collections over single-role repositories. While there is no official “don’t use single-role repos” announcement yet, and they won’t go away for a long time, they for example are not supported in Ansible Automation Hub.
Roles
The following recommendations apply to both roles within collections as well as single-role repositories.
A new role with all its boilerplate can be created using the command
ansible-galaxy role init <rolename>. This can be used both within
the roles/ folder of a collection and for a standalone role
repository.
Role Directory Layout
.
├── defaults/
│ └── main.yml
├── files/
│ └── etc/
│ └── default/
│ └── ssh
├── handlers/
│ └── main.yml
├── meta/
│ └── main.yml
├── tasks/
│ ├── configuration.yml
│ ├── installation.yml
│ └── main.yml
├── templates/
│ └── etc/
│ └── ssh/
│ └── sshd_config.j2
└── vars/
├── Debian.yml
└── RedHat.yml
Tasks
We use main.yml only to import other YAML files and to assign tags to the imported tasks:
---
- name: Include OS-specific vars
ansible.builtin.include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml"
- "{{ ansible_facts.os_family }}.yml"
tags:
- "role::sshd"
- "role::sshd:install"
- "role::sshd:config"
- name: Install SSH server
ansible.builtin.import_tasks: install.yml
tags:
- "role::sshd"
- "role::sshd:install"
- name: Configure SSH server
ansible.builtin.import_tasks: config.yml
tags:
- "role::sshd"
- "role::sshd:config"
Role tagging helps later while running Ansible. When ansible-playbook is
called with --tags, only matching tasks will be executed.
The actual tasks are split up into individual logical units, each
within one task file. The example above e.g. splits the tasks into
installation and configuration components. Tasks inside the
install.yml file are used to install all related packages:
---
- name: install | Install SSH-related packages
ansible.builtin.package:
name: "{{ sshd_packages }}"
state: present
The configuration files are rendered in config.yml:
---
- name: config | Create SSH authorized_keys directory
ansible.builtin.file:
path: /etc/ssh/authorized_keys
state: directory
owner: root
group: root
mode: "0755"
seuser: system_u
serole: object_r
setype: sshd_key_t
selevel: s0
- name: config | Configure SSHd
ansible.builtin.template:
src: etc/ssh/sshd_config.j2
dest: "{{ sshd_daemon_cfg }}"
owner: root
group: root
mode: "0644"
seuser: system_u
serole: object_r
setype: etc_t
selevel: s0
validate: "{{ sshd_daemon_bin }} -t -f %s"
notify:
- Restart sshd
If necessary, you can add additional tags to individual tasks inside
the imported files. However, since this ad-hoc tag list overrides the
one defined in main.yml, you must also provide all the tags from
main.yml again for the single task:
Good example:
- name: install | Install SSH related packages
ansible.builtin.package:
name: "{{ sshd_packages }}"
state: present
tags:
# This tag is added only for this task
- "role::sshd:packages"
# These two tags must be provided again, as the tag list from main.yml is overwritten by this tag list.
- "role::sshd"
- "role::sshd:install"
Bad example:
- name: install | Install SSH related packages
ansible.builtin.package:
name: "{{ sshd_packages }}"
state: present
tags:
- "role::sshd:packages"
This task is no longer executed when run via --tags role::sshd.
Variables
Variables in vars/ are used for static data, e.g. package-, service-
and filenames. Only use vars/ for data that does not change on a
host-by-host basis, for that use the defaults!
The variables stored in vars/ can be loaded dynamically. This can
be used to e.g. load OS-dependent variables. The example above uses
this to load the ssh_packages variable dependent on the
os_family host fact.
To achieve this, you put the variables into files named after os_family inside the vars/ directory:
Debian.ymlRedHat.yml
If there are special variables for some operating systems, you can specify those in the files named:
Debian_11.ymlDebian_12.ymlCentOS_7.ymlCentOS_8.ymlCentOS_9.ymlUbuntu_20.ymlUbuntu_22.yml…
This logic is implemented using the with_first_found iterator in
the example above. For more information, check out the documentation
on Loops.
By our convention, each variable name start with <rolename>_ and
the name contains only lower case letters, numbers and underline
_:
---
# ssh related packages
sshd_packages:
- openssh-client
- openssh-server
# ssh service name
sshd_service: ssh
# ssh daemon binary (absolute path)
sshd_daemon_bin: /usr/sbin/sshd
# ssh daemon configuration file
sshd_daemon_cfg: /etc/ssh/sshd_config
# ssh daemon sftp server
sshd_sftp_server: /usr/lib/openssh/sftp-server
Defaults
Every variable which is used inside a template or for tasks, and which is not defined in the vars, needs to be defined as defaults. If there is no reasonable default value, the README should make it clear that the value must be provided via host vars. Defaults can be used for example for default ports and hostnames (e.g. binding a service to localhost:80 unless overwritten via host vars).
There is only one defaults file, called main.yml:
---
# The ports to bind sshd on
sshd_ports:
- 22
# a list of ssh host keys
sshd_host_keys:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ed25519_key
Handlers
Handlers are used to perform additional tasks required to apply changed configuration, such as restarting services. That way a service does not get restarted with every playbook run, but only when required. Another advantage of handlers is that they can be notified by multiple tasks, yet only get executed once per playbook run..
---
- name: Restart SSHd
ansible.builtin.service:
name: "{{ sshd_service }}"
state: restarted
This handler gets notified by a task called Configure SSHd. it
will call the handler Restart SSHd, but only if the task has
effected a change.
Using handlers should always be preferred over implementing your own conditional restart logic, unless the restart requires additional logic that can’t be covered by handlers.
Bad example:
---
- name: Render /etc/ssh/sshd_config
ansible.builtin.template: ...
register: sshd_register_sshd_config
- name: Restart SSHd
ansible.builtin.service:
name: "{{ sshd_service }}"
state: restarted
when: "{{ sshd_register_sshd_config.changed }}"
Files
If some static files have to be copied, they can be stored
in the directory files/.
Within this directory, we rebuild the path structure of a target system. We do not store files in a flattened directory:
Good example:
sshd/
└── files/
└── etc/
├── default/
│ └── ssh
└── ssh/
└── sshd_config
Bad example:
sshd/
└── files/
├── ssh
└── sshd_config
We usually only use files/ for binary files, e.g. executables or
archives. Most text files would usually go into templates/
instead (see below); even if you don’t need to put any dynamic content
into a text file, we recommend to use a template and add an
{{ ansible_managed | comment }} header whenever possible.
Templates
Within this directory, template files are stored with a .j2
extension as the files are treated as Jinja templates. This allows
file contents to be modified based on Ansible variables, host vars and
system facts.
Templates should have a comment with {{ ansible_managed |
comment }} at the very beginning. This generates a comment header
inside the file, warning a potential user that changes to the file may
be overwritten. We recommend to use {{ ansible_managed | comment
}} rather than # {{ ansible_managed }}, as the latter does not
work with multiline ansible_managed comments. For customization of
the comment, check out the documentation of the comment filter.
If possible, validate the template before copying it into place. This will guarantee that configuration will work after restarting the corresponding service. A lot of daemon binaries come with a config test flag intended for exactly this purpose.
Good example:
---
- name: config | Configure the ssh daemon
ansible.builtin.template:
src: etc/ssh/sshd_config.j2
dest: "{{ sshd_daemon_cfg }}"
owner: root
group: root
mode: 0644
seuser: system_u
serole: object_r
setype: etc_t
selevel: s0
validate: "{{ sshd_daemon_bin }} -t -f %s"
notify:
- "Restart SSHd"
Within the template/ directory, we rebuild the path structure of a target system. We
do not store templates in a flattened directory.
Good example:
sshd/
└── templates/
└── etc/
├── default/
│ └── ssh.j2
└── ssh/
└── sshd_config.j2
Bad example:
sshd/
└── templates/
├── ssh.j2
└── sshd_config.j2
Meta
The file meta/main.yml contains metadata about a role. For
standalone roles, this file is required in order to be submitted to
Ansible Galaxy. For roles in a collection, this file is optional, but
recommmended.
---
galaxy_info:
author: 'Adfinis AG'
description: 'Install and manage sshd'
company: 'Adfinis AG'
license: GPL-3.0-only
min_ansible_version: 2.10
platforms:
- name: Debian
versions:
- buster
- bullseye
- bookworm
- name: Ubuntu
versions:
- jammy
- lunar
- mantic
- name: CentOS
versions:
- 7
- 8
- 9
galaxy_tags:
- ssh
- sshd
# The roles listed here are automatically applied before applying this role.
dependencies:
- role: adfinis.linux
Collections
Collections are the new format for packaging roles, plugins, playbooks and other Ansible artifacts.
For more in-detail information, please refer to the upstream documentation: Developing collections.
A new collection can be created using the command ansible-galaxy
collection init <namespace>.<collection>. The collection will be
created in the directory ./<namespace>/<collection/.
We also provide a Github template for Ansible collection repositories, which comes with a CI pipeline for ansible-lint and automated release to Ansible Galaxy: adfinis/ansible-collection-template.
Artifacts in a collection should always be referred to by their FQCN
(fully-qualified collection name) consisting of
<namespace>.<collection>.<artifact>. For example, the role
sshd in the collection adfinis.linux is referred to as
adfinis.linux.sshd. The same applies to other artifacts such as
plugins or playbooks as well.
Collection Directory Layout
.
├── docs/
├── galaxy.yml
├── meta/
│ └── runtime.yml
├── plugins/
│ ├── callback/
│ ├── inventory/
│ └── modules/
│ └── example.py
├── README.md
├── roles/
│ ├── sshd/
│ └── pki/
├── playbooks/
│ ├── playbook.yml
│ ├── templates/
│ └── tasks/
└── tests/
galaxy.yml
The galaxy.yml file at the root of your collection contains the
metadata required in order to publish your collection to Ansible
Galaxy:
---
namespace: adfinis
name: linux
version: "1.0.0"
readme: README.md
authors:
- Adfinis AG <support@adfinis.com>
repository: http
description: Collection of roles for basic configuration of a Linux server
license: GPL-3.0-only
tags:
- linux
dependencies:
community.general: "7.5.0"
community.crypto: "2.15.1"
repository: https://github.com/adfinis/linux
documentation: https://adfinis.github.io/...
homepage: https://adfinis.com
issues: https://github.com/adfinis/linux/issues
build_ignore: []
meta/runtime.yml
Usually this file only contains one entry: Which Ansible version is required to use this collection:
---
requires_ansible: ">=2.10.0"