We strive to modernize, and make rebuilding of the services reliable and reproducible. After quite some time to deliberate Ansible was chosen to maintain our infrastructure.


These playbooks are made to run with Ansible >=2.5, <2.6.

You might need this for our custom plugins:

  • python-unidecode

You should love YAML, as the rules and most of the configuration are written in this format. This is not difficult to learn though.


A ansible.cfg configuration file is provided with all needed settings and to be sure we all use the same and achieve the same results. The only controversial setting is hash_behaviour = merge, it is very practical to allow partial variable overrides using groups of hosts (if you disagree, try to convince Duck, good luck).

The lists of hosts and groups (the inventory) is held by hosts.yml. All hosts should be listed in the all group, and then in various groups as appropriate; failing to do so will most probably result in dropping hosts out of the inventory when removing them from groups. We do not maintain variables in this file, this is not very practical.

The files in host_vars/<host>/ and group_vars/<group>/ for hosts and groups hold specific variables. We use groups for hosts holding the save service, or in the same geographic zone… That's were the magical hash_behaviour = merge shines.

Most of the infrastructure parameters are common information stored in group_vars/all: package repositories, DNS settings, users, entities…

Some files are also stored in data:

  • DuckCorp-specific files which are used by a role but not included in it to keep it generic
  • isolated tasks in a play manipulating data (copy/template/…); creating a higher level role may be a cleaner solution though


Here is a list of the playbooks and their goal:

  • dc_check: run various tests on machines to check for problems; this is WIP and currently only checks for unapplied upgrades, package diff and obsolete packages
  • dc: (partially, WIP) deploy the DuckCorp infrastructure
  • ldap: generate the whole LDAP database content
  • regen_ssh_keys: on shell boxes, create missing user home directories and add their SSH keys to their authorized_keys file (preserving local changes)

Please don't use roles sections in plays, use include_role tasks instead, it is more powerful and you can order it as you wish (as any task).


We should try our best to modularize the rules to ease readability and maintenance.

Except for basic system settings (dc-base role) which should be kept small, and DuckCorp-specific needs, all roles are maintained in separate repositories (WIP for legacy roles) and should be kept generic (without trying to address each and every possible need in the world), or clearly state their scope limitation. They should all be documented and bear meta information.

Roles should present a clear API. We also use more and more multiple entrypoints using the include_role action and tasks_from parameter. This allows to factorize various functions based on the same logic and variables.

Limiting Scope

It is possible to limit the scope of the run to preview on a particular machine or shorten the run when you're sure changes affect only specific host or tasks.

To limit the scope of the machines, use the -l option.

To run only specific groups of tasks, use --tags and --skip-tags. A partial (due to dynamic includes) but sufficient list of tags can be found using:

ansible-playbook --list-tags playbooks/*.yml



The provided script should be run before every commit to avoid mistakes.

This script depends on:

  • flake8
  • ansible-lint

When we switch to a newer Ansible version, dependencies like ansible-lint which are tied to Ansible should be upgraded too. There might be changes in the reports after migration and we should strive to fix them quickly. A new commit is not responsible for the previous state of the rules and should not mix topic changes with unrelated fixes, they should be handled in separate commits.


The --check option is available but there is no effort yet to make problematic tasks (command/shell/…) handled better.

| Branch: | Revision:

duckcorp-infra / ansible @ baae2ab9

Name Size Revision Age Author Comment
  data f7c792cb 11 months Marc Dequènes yoshi: ensure pid file is created
  group_vars 6904c077 11 months Marc Dequènes added MTA deployment
  host_vars a16b7016 12 months Marc Dequènes Add MariaDB installation
  playbooks baae2ab9 11 months Marc Dequènes add policyd-weight
  plugins 394dd9a4 over 1 year Marc Dequènes fix flake8 F401
  roles baae2ab9 11 months Marc Dequènes add policyd-weight
.ansible-lint 29 Bytes 2f14cf6b about 1 year Marc Dequènes ignore ANSIBLE0004 using HEAD is a legitimate ...
.gitattributes 51 Bytes 5d76f2d8 over 1 year Marc Dequènes First public version 4.19 KB 62f804c0 12 months Marc Dequènes switch to Ansible 2.5
ansible.cfg 18.1 KB 5d76f2d8 over 1 year Marc Dequènes First public version 231 Bytes a1d4f53e over 1 year Marc Dequènes add Duck test config to share between computers
hosts.yml 1.96 KB 5c3f614d 11 months Marc Dequènes added oidentd
hosts_tests_duck.yml 169 Bytes a1d4f53e over 1 year Marc Dequènes add Duck test config to share between computers 1.37 KB c746c1d5 over 1 year Marc Dequènes split main playbook into readable pieces, dc.ym...

Latest revisions

# Date Author Comment
baae2ab9 2018-05-14 18:47 Marc Dequènes

add policyd-weight

3caf716f 2018-05-14 18:10 Marc Dequènes

update submodules

5c3f614d 2018-05-14 18:06 Marc Dequènes

added oidentd

289fbce3 2018-05-14 16:56 Marc Dequènes

added duckcorp/

a3a7125f 2018-05-14 16:04 Marc Dequènes

remove obsolete mail redirection for KiBi

eb4ea1b9 2018-05-14 15:59 Marc Dequènes

remove obsolete mail redirection for KiBi

f7c792cb 2018-05-14 15:56 Marc Dequènes

yoshi: ensure pid file is created

da31ea7a 2018-05-14 15:10 Marc Dequènes

yoshi: autostart via crontab

ca124e3a 2018-05-14 15:02 Marc Dequènes

added new Yoshi

031c99d8 2018-05-14 14:02 Marc Dequènes

dc-postfix: script are run by non-root, don't restrict executability

View revisions

Also available in: Atom