# Delivery Layout

When you deliver something you'll probably have a layout:

  - a static or dynamic inventory of all the nodes to manage
  - ssh keys to use
  - users and secrets to connect to the hosts
  - whether to do privilege escalation (eg. sudo, ...) before running tasks
  - if nodes should be accessed via a bastion host, docker, ...
  
Put those informations, together with a brief description of the playbook usage (eg. 2/3 lines) into ansible.cfg




In [4]:
## Simple delivery layout

In [3]:
cd ansible

/notebooks/notebooks/ansible


In [2]:
# When running ansibel, the first file to be read is
!cat ansible.cfg

cat: ansible.cfg: No such file or directory


In [5]:
# Exercise 1
# - ping all hosts without specifying an inventory file
# - comment the "inventory" line out of ansible.cfg
# - try to ping then again
!ansible -m ping all
!sed -i 's/^inventory/#inventory/' ansible.cfg
!grep inventory ansible.cfg
!ansible -m ping all
!sed -i 's/#inventory/inventory/' ansible.cfg
!ansible -m ping all



[0;32mpythonforsysadmin_course_1 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}[0m
[1;31m172.17.0.5 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh.", 
    "unreachable": true
}[0m
[1;31m172.17.0.6 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh.", 
    "unreachable": true
}[0m
[1;31m172.17.0.7 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh.", 
    "unreachable": true
}[0m
# Always use ansible.cfg and inventory files to 
# define our inventory file or ansible defaults
#inventory = inventory
[0m
[0m
[0;32mpythonforsysadmin_course_1 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}[0m
[1;31m172.17.0.5 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh.", 
    "unreachable": true
}[0m
[1;31m172.17.0.6 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to th

## authentication

You can manage machines via `ssh` or `docker`, but what happens if `PermitRootLogin=no`?

Just use
```
become: yes
become_user: root
become_method: sudo  # defaults to sudo
```

You can even specify which ssh key to use.



## Inventory

The inventory contains the infrastructure host. Maintaining an inventory helps to:

  - clearly state each host and its functionalities
  - communicate to others all the involved machines
  - describe the infrastructure

Via `ansible.cfg` you can set a default inventory. You could  eg. default to staging  and require `-i production` to run on actual machines.

Ansible supports dynamic inventories (ldap, script, ..) [see chapter]

## Encrypt secrets

You can use and deliver secrets in your infrastructure using an encrypted file (aka vault).

Decryption password can be typed each time or can be stored in a pin file configured in `ansible.cfg`.

REMEMBER: clear your pin file at logout ;) 

## Bastion

A bastion host is the unique management   entrypoint  for an infrastructure.

![title](https://cloud.google.com/solutions/images/bastion.png)
    
Ansible *leverages ssh functionalities* to manage resources from your local machine thru a bastion.
With a proper configuration you can run your commands/playbooks without continusly moving files to and fro your bastion.

Those includes:
 
  - socks 
  - local and reverse tunnels (ssh -L | -R )
  