We strive to modernize, and make rebuilding of the services reliable and reproducible. After quite some time to deliberate Ansible was chosen to maintain our infrastructure.


These playbooks are made to run with Ansible >=2.4, <2.5.

You might need this for our custom plugins:

  • python-unidecode

You should love YAML, as the rules and most of the configuration are written in this format. This is not difficult to learn though.


A ansible.cfg configuration file is provided with all needed settings and to be sure we all use the same and achieve the same results. The only controversial setting is hash_behaviour = merge, it is very practical to allow partial variable overrides using groups of hosts (if you disagree, try to convince Duck, good luck).

The lists of hosts and groups (the inventory) is held by hosts.yml. All hosts should be listed in the all group, and then in various groups as appropriate; failing to do so will most probably result in dropping hosts out of the inventory when removing them from groups. We do not maintain variables in this file, this is not very practical.

The files in host_vars/<host>/ and group_vars/<group>/ for hosts and groups hold specific variables. We use groups for hosts holding the save service, or in the same geographic zone… That's were the magical hash_behaviour = merge shines.

Most of the infrastructure parameters are common information stored in group_vars/all: package repositories, DNS settings, users, entities…

Some files are also stored in data:

  • DuckCorp-specific files which are used by a role but not included in it to keep it generic
  • isolated tasks in a play manipulating data (copy/template/…); creating a higher level role may be a cleaner solution though


Here is a list of the playbooks and their goal:

  • dc_check: run various tests on machines to check for problems; this is WIP and currently only checks for unapplied upgrades, package diff and obsolete packages
  • dc: (partially, WIP) deploy the DuckCorp infrastructure
  • ldap: generate the whole LDAP database content
  • regen_ssh_keys: on shell boxes, create missing user home directories and add their SSH keys to their authorized_keys file (preserving local changes)

Please don't use roles sections in plays, use include_role tasks instead, it is more powerful and you can order it as you wish (as any task).


We should try our best to modularize the rules to ease readability and maintenance.

Except for basic system settings (dc-base role) which should be kept small, and DuckCorp-specific needs, all roles are maintained in separate repositories (WIP for legacy roles) and should be kept generic (without trying to address each and every possible need in the world), or clearly state their scope limitation. They should all be documented and bear meta information.

Roles should present a clear API. We also use more and more multiple entrypoints using the include_role action and tasks_from parameter. This allows to factorize various functions based on the same logic and variables.

Limiting Scope

It is possible to limit the scope of the run to preview on a particular machine or shorten the run when you're sure changes affect only specific host or tasks.

To limit the scope of the machines, use the -l option.

To run only specific groups of tasks, use --tags and --skip-tags. A partial (due to dynamic includes) but sufficient list of tags can be found using:

ansible-playbook --list-tags playbooks/*.yml



The provided script should be run before every commit to avoid mistakes.

This script depends on:

  • flake8
  • ansible-lint

When we switch to a newer Ansible version, dependencies like ansible-lint which are tied to Ansible should be upgraded too. There might be changes in the reports after migration and we should strive to fix them quickly. A new commit is not responsible for the previous state of the rules and should not mix topic changes with unrelated fixes, they should be handled in separate commits.


The --check option is available but there is no effort yet to make problematic tasks (command/shell/…) handled better.

| Branch: | Revision:

duckcorp-infra / ansible @ a82df6f1

Name Size Revision Age Author Comment
  data ed035908 12 months Marc Dequènes (Duck) forgot to tell conffiles are Ansible managed
  group_vars 378881c1 11 months Arnaud Fontaine add/remove email addresses for 'arnau' user acc...
  host_vars 16746903 about 1 year Marc Dequènes dc-irc: set a proper From email address for ser...
  playbooks 61a97fbe 12 months Marc Dequènes (Duck) enable safe commands in check mode
  plugins 394dd9a4 over 1 year Marc Dequènes fix flake8 F401
  roles a82df6f1 11 months Marc Dequènes (Duck) update httpd role
.gitattributes 51 Bytes 5d76f2d8 over 1 year Marc Dequènes First public version 4.19 KB 5d76f2d8 over 1 year Marc Dequènes First public version
ansible.cfg 18.1 KB 5d76f2d8 over 1 year Marc Dequènes First public version 231 Bytes a1d4f53e over 1 year Marc Dequènes add Duck test config to share between computers
hosts.yml 1.82 KB 4c0c6570 about 1 year Marc Dequènes Korutopi is no more :-/
hosts_tests_duck.yml 169 Bytes a1d4f53e over 1 year Marc Dequènes add Duck test config to share between computers 1.37 KB c746c1d5 about 1 year Marc Dequènes split main playbook into readable pieces, dc.ym...

Latest revisions

# Date Author Comment
a82df6f1 2018-02-24 20:50 Marc Dequènes (Duck)

update httpd role

2d569261 2018-02-24 20:47 Marc Dequènes (Duck)

dc-irc: added config for needrestart

Restarting randomly just breaks the network.

378881c1 2018-02-10 01:07 Arnaud Fontaine

add/remove email addresses for 'arnau' user account.

5935e7a3 2018-02-09 10:57 Marc Dequènes (Duck)

dc-irc: don't load namesx module twice

startup then fails

f32c8fcf 2018-01-24 01:29 Marc Dequènes (Duck)

httpd: pending changes were merged

459f1619 2018-01-23 09:00 Marc Dequènes (Duck)

updated httpd role but disable use of modern MPM until PHP can be migrated to FPM

68b9126b 2018-01-22 15:21 Marc Dequènes (Duck)

updated httpd* roles: workaround for Ansible#26294 was updated

61a97fbe 2018-01-21 02:47 Marc Dequènes (Duck)

enable safe commands in check mode

690dfd3a 2018-01-21 02:45 Marc Dequènes (Duck)

dc-base: use find instead of shell

c275e80e 2018-01-20 21:01 Marc Dequènes (Duck)

dc-web: remove obsolete reference to

View revisions

Also available in: Atom