Nathan
88d67ecf4f
Added production-grade validation tooling and documentation:
- ADDED: validate-connectivity.yml playbook with comprehensive checks
* Ping test, sudo verification, Docker status
* NFS mount validation, disk usage warnings
* Proxmox-specific checks (version, cluster status)
* System uptime reporting
* Passes ansible-lint production profile
- ADDED: validate-environment.sh health check script
* 10-point diagnostic validation
* Color-coded status output
* Reports all 4 nodes operational
- ADDED: QUICK-REFERENCE.md comprehensive command guide
* Ad-hoc commands, playbook operations
* Vault management, linting workflows
* Inventory targeting examples
* Integration guides (VSCode, Git)
- ADDED: Ansible Vault secrets template (encrypted)
* group_vars/all/vault.yml with placeholder secrets
* AES256 encrypted with vault password
* Template for sudo, Proxmox, Gitea, NFS credentials
- UPDATED: plan-ansibleSetup.md progress report
* Phase completion status (Phases 1-4 complete)
* Deviations documented (hosts.ini format, PVE01 added)
* Next steps and recommendations
- UPDATED: README.md Ansible section
* Production-ready status badge
* Quick validation command
* Links to new documentation
Environment Status: 🟢 PRODUCTION READY
All 4 nodes responding, linting passed, documentation complete
7.1 KiB
7.1 KiB
Ansible Quick Reference
Current Environment Status
Last Validated: April 13, 2026
Status: 🟢 OPERATIONAL
Managed Nodes: 4 (Watchtower, Heimdall, Waldorf, PVE01)
Quick Commands
Health Checks
# Basic connectivity test
ansible all -m ping
# Full environment validation
./validate-environment.sh
# Check Ansible version
ansible --version
# List all managed hosts
ansible-inventory --graph
Ad-Hoc Commands
# Execute command on all nodes
ansible all -m command -a "uptime"
# Execute with privilege escalation
ansible all -m command -a "whoami" --become
# Check disk space on all nodes
ansible all -m shell -a "df -h /"
# Gather facts from specific group
ansible docker_nodes -m setup
Playbook Operations
# Syntax check
ansible-playbook playbooks/test-connection.yml --syntax-check
# Dry run (check mode)
ansible-playbook playbooks/test-connection.yml --check
# Execute playbook
ansible-playbook playbooks/test-connection.yml
# Run with verbose output
ansible-playbook playbooks/test-connection.yml -vvv
# Limit to specific hosts
ansible-playbook playbooks/test-connection.yml --limit heimdall
Ansible Vault Operations
# View encrypted file
ansible-vault view inventory/group_vars/all/vault.yml
# Edit encrypted file
ansible-vault edit inventory/group_vars/all/vault.yml
# Encrypt a file
ansible-vault encrypt path/to/file.yml
# Decrypt a file
ansible-vault decrypt path/to/file.yml
# Change vault password
ansible-vault rekey inventory/group_vars/all/vault.yml
Linting & Quality
# Lint specific playbook
ansible-lint playbooks/test-connection.yml
# Lint all playbooks
ansible-lint playbooks/*.yml
# Lint with strict mode
ansible-lint --strict playbooks/
# Show configuration
ansible-config list
ansible-config dump --only-changed
Inventory Groups
The inventory is organized into hardware and functional groups:
Hardware Groups
- control_plane - Watchtower (Ansible control node)
- docker_nodes - Heimdall, Waldorf
- physical_servers - Heimdall, Waldorf
- raspberry_pi - Watchtower
- proxmox_cluster - PVE01
Functional Groups
- core_services - Heimdall (Komodo, Gitea, Traefik)
- media_services - Waldorf (Plex, Tunarr)
- nfs_clients - Heimdall, Waldorf
Targeting Examples
# All Docker hosts
ansible docker_nodes -m ping
# Only physical servers
ansible physical_servers -m command -a "lsblk"
# Just the control plane
ansible control_plane -m setup
# NFS clients only
ansible nfs_clients -m shell -a "df -h /mnt/appdata"
Files & Directories
ansible/
├── ansible.cfg # Main configuration
├── inventory/
│ ├── hosts.ini # Node definitions
│ └── host_vars/ # Per-host variables
├── group_vars/
│ └── all.yml # Global variables
├── vault/
│ └── .vault_pass # Vault password (gitignored)
├── playbooks/
│ ├── test-connection.yml # Basic connectivity test
│ ├── gather-node-facts.yml # System discovery
│ ├── quick-facts.yml # Rapid diagnostics
│ ├── onboard-nodes.yml # Node initialization
│ └── onboard-proxmox.yml # Proxmox setup
├── roles/
│ └── proxmox_post_install/ # Custom role
└── validate-environment.sh # Health check script
Configuration Highlights
ansible.cfg Key Settings
- Inventory:
inventory/hosts.ini - SSH Key:
~/.ssh/id_ed25519 - Host Key Checking: Disabled (homelab trusted network)
- Vault Password:
vault/.vault_pass - Forks: 5 (parallel execution limit)
- Fact Caching: Enabled (JSON, 1 hour TTL)
- Privilege Escalation: sudo (passwordless)
Security Configuration
- ED25519 SSH keys (modern, fast, secure)
- Ansible Vault for secrets (AES256 encryption)
- Vault password file permissions: 600 (owner read/write only)
- No passwords in inventory files
- StrictHostKeyChecking disabled (acceptable for isolated homelab)
Common Workflows
Adding a New Managed Node
- Generate and copy SSH key:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@new-node-ip
- Test connectivity:
ssh -i ~/.ssh/id_ed25519 user@new-node-ip "hostname"
- Add to inventory (
inventory/hosts.ini):
[docker_nodes]
new_node ansible_host=10.0.0.XXX ansible_user=user
- Verify:
ansible new_node -m ping
Creating a New Playbook
- Create file in playbooks/ directory:
---
- name: My New Playbook
hosts: all
gather_facts: true
tasks:
- name: Example task
ansible.builtin.debug:
msg: "Hello from {{ inventory_hostname }}"
- Validate syntax:
ansible-playbook playbooks/my-playbook.yml --syntax-check
- Lint the playbook:
ansible-lint playbooks/my-playbook.yml
- Test in check mode:
ansible-playbook playbooks/my-playbook.yml --check
- Execute:
ansible-playbook playbooks/my-playbook.yml
Troubleshooting Connection Issues
# Verbose SSH debugging
ansible node_name -m ping -vvvv
# Test raw connectivity (bypasses Python)
ansible node_name -m raw -a "echo test"
# Check SSH key authentication
ssh -vvv -i ~/.ssh/id_ed25519 user@node-ip
# Verify inventory parsing
ansible-inventory --host node_name
# Test privilege escalation
ansible node_name -m command -a "whoami" --become -vv
Integration Points
VSCode Remote Development
- Open VSCode
- Install "Remote - SSH" extension
- Connect to Watchtower:
chester@10.0.0.200 - Open folder:
/home/chester/homelab/ansible - Install extensions on remote:
- Ansible (by Red Hat)
- YAML (by Red Hat)
Git Workflow
# Check status
git status
# Add changed playbooks
git add playbooks/
# Commit with descriptive message
git commit -m "feat(ansible): add system maintenance playbook"
# Push to Gitea
git push origin main
Performance Tips
- Use fact caching (already enabled) to avoid re-gathering system info
- Limit playbook scope with
--limitflag when testing - Increase forks for large inventories (currently 5)
- Use pipelining (already enabled) for faster SSH operations
- Disable gathering for simple tasks:
gather_facts: false
Security Best Practices
✅ Already Implemented:
- SSH key-based authentication (no passwords)
- Ansible Vault for sensitive data
- Vault password file secured (600 permissions)
- Passwordless sudo configured safely
⚠️ Recommendations:
- Rotate SSH keys annually
- Audit Vault contents quarterly
- Review ansible.log for suspicious activity
- Limit Ansible user privileges where possible
Next Steps
- Create comprehensive validation playbook (validate-connectivity.yml)
- Build Docker stack deployment role
- Implement automated system updates playbook
- Set up Molecule for role testing
- Integrate with Komodo for CI/CD automation
Document Version: 1.0
Last Updated: April 13, 2026
Maintained By: FrankGPT (Ansible Architect)