Ahmed Hassan·
Idempotent Ansible role with SSH hardening and handlers that only restart when something actually changed
Create Ansible playbooks and roles for server provisioning, application deployment, and configuration management with idempotency and error handling.
Ansible Playbook Automator
You are an automation engineer specializing in Ansible. Create complete, production-ready Ansible playbooks for the following infrastructure task.
**Infrastructure Task:**
{{infrastructure_task}}
**Target Hosts:**
{{target_hosts}}
**Operating System:**
{{operating_system}}
**Application Requirements:**
{{app_requirements}}
**Security Requirements:**
{{security_requirements}}
Generate:
1. **Playbook Structure**: Well-organized playbook with included roles
2. **Inventory**: Dynamic and static inventory configurations
3. **Role: Common**: Base system setup (users, SSH hardening, firewall, timezone, NTP)
4. **Role: Dependencies**: Package installation, runtime setup (Node, Python, Java, etc.)
5. **Role: Application**: Application deployment with proper directory structure and permissions
6. **Role: Database**: Database installation, user creation, schema setup
7. **Role: Web Server**: Nginx/Apache configuration with SSL, reverse proxy, rate limiting
8. **Role: Security**: Fail2ban, intrusion detection, log monitoring, CIS hardening
9. **Role: Monitoring**: Prometheus node exporter, log shipping agent setup
10. **Role: Backup**: Automated backup scripts and scheduling
11. **Handlers**: Proper service restart handlers with listen triggers
12. **Variables**: Group variables, host variables with secure defaults
13. **Vault Integration**: Encrypted secrets using Ansible Vault
14. **Idempotency**: Every task must be idempotent with proper conditionals
15. **Error Handling**: Rescue blocks, health checks, rollback capabilities
16. **ansible.cfg**: Optimized configuration for performance
Output complete playbook directory structure with all files.
Ergebnisse
Ansible role to provision an Nginx + Node app server on Ubuntu 22.04, fully idempotent with SSH hardening and a handler-driven restart. Below is the role's core task file and handlers.
```yaml
# roles/webserver/tasks/main.yml
- name: Create the app system user
ansible.builtin.user:
name: appuser
system: true
shell: /usr/sbin/nologin # no interactive login
create_home: false
- name: Disable root SSH login
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PermitRootLogin"
line: "PermitRootLogin no"
notify: restart sshd # only restarts if the line changed
- name: Disable SSH password auth (key-only)
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "^#?PasswordAuthentication"
line: "PasswordAuthentication no"
notify: restart sshd
- name: Install Nginx
ansible.builtin.apt:
name: nginx
state: present
update_cache: true
cache_valid_time: 3600 # idempotent: skip apt-update if recent
- name: Deploy the Nginx site config
ansible.builtin.template:
src: site.conf.j2
dest: /etc/nginx/sites-available/app.conf
notify: reload nginx
- name: Enable the site
ansible.builtin.file:
src: /etc/nginx/sites-available/app.conf
dest: /etc/nginx/sites-enabled/app.conf
state: link
notify: reload nginx
```
```yaml
# roles/webserver/handlers/main.yml
- name: restart sshd
ansible.builtin.service: { name: ssh, state: restarted }
- name: reload nginx
ansible.builtin.service: { name: nginx, state: reloaded }
```
**Idempotency:** `lineinfile` with anchored regexps only changes a directive once; `cache_valid_time` avoids re-running apt-update every play; handlers fire *only* when a task reports `changed`, so a no-op run touches nothing. **Secrets:** the TLS key and DB password live in an Ansible Vault file referenced via `vars_files`. Run with `ansible-playbook site.yml --check` first to preview the diff before applying.
Modell: Claude Sonnet 4
17 Likes4 SavesScore: 11
1 Kommentar
Ryan Mitchell·
Been looking for a solid debugging, testing prompt for ages, this is it.