Skip to content
This repository has been archived by the owner on Jul 20, 2024. It is now read-only.

ansibleguy/sw_semaphore

Repository files navigation

Ansible-Semaphore - modern UI for Ansible

Ansible Role - Ansible-Semaphore

Role to provision Ansible Semaphore on a linux server.

Semaphore is a lightweight alternative to Ansible AWX. (WebUI for Ansible usage)

Buy me a coffee

Molecule Test Status YamlLint Test Status PyLint Test Status Ansible-Lint Test Status Ansible Galaxy

Molecule Logs: Short, Full

Tested:

  • Debian 11

Install

# latest
ansible-galaxy role install git+https://github.com/ansibleguy/sw_semaphore

# from galaxy
ansible-galaxy install ansibleguy.sw_semaphore

# or to custom role-path
ansible-galaxy install ansibleguy.sw_semaphore --roles-path ./roles

# install dependencies
ansible-galaxy install -r requirements.yml

Usage

You want a simple Ansible GUI? Check-out my Ansible WebUI

Config

Minimal config:

semaphore:
  nginx:
    domain: 'semaphore.test.ansibleguy.net'

  # optional:
  # version: '2.8.90'
  # admin:
  #   user: 'admin'
  #   name: 'AnsibleGuy'
  #   email: 'semaphore@template.ansibleguy.net'

Define the config as needed:

semaphore:
  manage:
    webserver: true  # install and configure local nginx with min-ca cert
    database: true  # install and configure local mariadb
    backup: true  # install service for daily local database backup (if database is managed)
    user: true  # create service-user 'semaphore'
    ansible_cfg: true  # provision /home/semaphore/.ansible.cfg
    admin: true  # add admin-user after installation

  version: '2.8.90'  # see: https://github.com/ansible-semaphore/semaphore/releases

  persistent_requirements: false

  admin:
    user: 'admin'
    email: 'admin@template.ansibleguy.net'
    pwd: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...

  config:  # config key-value pairs as set in 'config.json': https://docs.ansible-semaphore.com/administration-guide/configuration
    concurrency_mode: 'node'
    email_sender: 'semaphore@template.ansibleguy.net'
    email_host: 'mail.template.ansibleguy.net'
    email_alert: true

    # optional
    ldap_enable: true
    ldap_needtls: true
    ldap_binddn: 'service_semaphore'
    ldap_bindpassword: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...
    ldap_server: 'ldap.template.ansibleguy.net:636'
    ldap_searchfilter: '(&(mail=%s)(objectClass=person)(memberOf:=CN=semaphore,OU=Groups,DC=template,DC=ansibleguy,DC=net))'  # login with mail; must be in group 'semaphore'

    # optional => see: https://docs.ansible-semaphore.com/administration-guide/security#database-encryption
    cookie_hash: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...
    cookie_encryption: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...
    access_key_encryption: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...

  requirements:  # requirements your execution-environment needs
    pip: ['httpx']  # any python3-modules
    collections: ['community.general']  # any ansible-collections (if persistent_requirements=true)
    roles: []  # any ansible-roles (if persistent_requirements=true)

  ansible_config:  # /home/semaphore/.ansible.cfg => if manage.ansible_cfg=true; see: https://docs.ansible.com/ansible/latest/reference_appendices/config.html
    defaults:  # section
      remote_port: 48322
      vault_id_match: 'semaphore'
    diff:
      context: 2

  backup:
    retention_days: 30

You might want to use 'ansible-vault' to encrypt your passwords:

ansible-vault encrypt_string

Execution

Run the playbook:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml

There are also some useful tags available:

  • webserver
  • database
  • config
  • requirements

To debug errors - you can set the 'debug' variable at runtime:

ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes

Functionality

  • Package installation

    • Ansible-Semaphore in the specified version
    • Python3 PIP
    • Python3 Virtual-Environment
      • Ansible
      • common Ansible Jinja-Filter dependencies
    • Git
  • Configuration

    • Service: 'semaphore.service'

    • Service-user: 'semaphore'

    • Default config:

      • Directories:
        • Venv: '/var/local/lib/semaphore_venv'
        • Config: '/etc/semaphore'
        • Backup: '/var/backups/semaphore'
        • Tmp/Run: '/tmp/.semaphore'
    • Default opt-ins:

      • Nginx proxy => using THIS Role
      • MariaDB database => using THIS Role
      • Daily local database backup (if database is managed)
        • Backup service: 'semaphore-backup.service'
      • Provisioning 'ansible.cfg' for serviceuser
      • Adding admin-user after installation
    • Default opt-outs:

      • Persistent requirements
        • Update service: 'semaphore-requirements.service'

Info

  • Note: this role currently only supports debian-based systems

  • Note: Most of the role's functionality can be opted in or out.

    For all available options - see the default-config located in the main defaults-file!

  • Warning: Not every setting/variable you provide will be checked for validity. Bad config might break the role!

  • Note: If you like to use docker => you might want to check out the official docker-image of Ansible-Semaphore instead!

  • Info: Persistent requirements can be used to speed up executions:

    It will install & update ansible-roles & ansible-collections using an external service/timer.

    By default, semaphore will need to re-install them ON EACH EXECUTION.

    For this to work - you will also have to make sure that the requirements files do not exist in your repositories:

    • $REPO/collections/requirements.yml
    • $REPO/roles/requirements.yml