Day 24 · DevOps Session
Infrastructure automation, configuration management, secrets, and reusable roles.
Ansible Playbooks, Roles & Vault
A reduced session deck designed for a cleaner live presentation flow.
20 slides
60-minute session
Hands-on lab
Focus: playbooks, roles, templates, and secure automation.
PlaybooksRolesVault
Session Plan
Agenda
The strongest path through the topic.
- What Ansible is and where it fits
- Core building blocks: inventory, playbooks, tasks, modules
- Handlers, idempotency, roles, templates, and Vault
- Windows + WSL2 setup for the lab
- Build and run an Nginx role
- Validate the result and review key questions
Flow: concept first, implementation second.Foundations → setup → lab → review
Foundations
What Is Ansible?
Automation without an agent footprint on every host.
- Open-source automation platform
- Configuration management and application deployment
- Infrastructure automation through reusable YAML
- Agentless execution using SSH or local connection
- Designed to converge systems toward a desired state
Core idea: define the target state and let tasks converge toward it.Keyword: agentless
Comparison
Ansible vs Terraform
Complementary tools with different responsibilities.
| Terraform | Ansible |
|---|---|
| Provision infrastructure | Configure infrastructure |
| Create VMs and networks | Install software and manage services |
| Focus on resource lifecycle | Focus on machine state |
| Best for provisioning | Best for configuration and deployment |
Provision with Terraform, configure with Ansible.Provision → Configure
Core Model
Core Building Blocks
The minimum model needed to read an Ansible repo.
- Inventory: which hosts are targeted
- Playbook: what actions should run
- Task: one unit of intent
- Module: the implementation behind the task
- Handler: change-triggered follow-up action
- Role: reusable project structure
- Vault: encrypted secrets
Most confusion disappears when these boundaries are explicit.Structure first, details second.
Playbooks
Playbooks, Tasks, and Modules
Simple YAML with explicit intent.
---
- hosts: web
become: yes
tasks:
- name: Install Nginx
apt:
name: nginx
state: present
Pattern: hosts → tasks → modules.Readable automation scales better.
Execution
Handlers and Idempotency
Run follow-up actions only when a change actually happened.
tasks:
- template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart Nginx
handlers:
- name: Restart Nginx
service:
name: nginx
state: restarted
ansible-playbook site.yml --check ansible-playbook site.yml --diff
Only restart when config changes.Predictability is the value.
Reuse
Roles and Galaxy
Structure automation so it can be reused cleanly.
roles/
└── webserver/
├── tasks/
├── handlers/
├── defaults/
├── templates/
└── files/
ansible-galaxy role init webserver ansible-galaxy role install geerlingguy.nginx
Use roles when behavior needs structure and reuse.Review external dependencies.
Config Rendering
Templates and Vault
Generate config dynamically and keep secrets encrypted.
server {
listen {{ nginx_port }};
server_name {{ domain_name }};
}
ansible-vault create secrets.yml ansible-playbook site.yml --ask-vault-pass
Templates keep config DRY. Vault protects sensitive values.Config + secrets together.
Environment
Windows Setup with WSL2
The most practical local lab path for Windows users.
Use Ubuntu on WSL2 so the commands and behavior stay close to a native Linux environment.
Standardize the environment before the lab begins.WSL2 is the practical default.
Environment
Setup Commands
Install WSL2, open Ubuntu, and prepare Ansible.
wsl --install wsl --status wsl sudo apt update sudo apt install ansible -y ansible --version
Local target for the lab
mkdir ~/ansible-lab cd ~/ansible-lab [web] localhost ansible_connection=local
Localhost removes network and SSH setup from the first lab pass.Verify Ansible before proceeding.
Hands-On Lab
End-to-End Lab Guide
Build and deploy an Nginx role from zero to validation.
Follow the six steps in order: prepare the workspace, create the role, add tasks and templates, secure variables with Vault, run the playbook, and confirm idempotency.
Use the lab as a full walkthrough, not as isolated commands.Step 1 → Step 6
Step 1
Prepare the Workspace
Create the lab folder, inventory, and connectivity check.
mkdir ~/ansible-lab cd ~/ansible-lab cat > inventory.ini <<'EOF' [web] localhost ansible_connection=local EOF ansible web -i inventory.ini -m ping
Do not continue until the ping succeeds.Inventory first.
Step 2
Create the Role and Playbook
Scaffold the project structure and attach the role to site.yml.
ansible-galaxy role init webserver
cat > site.yml <<'EOF'
---
- hosts: web
become: yes
roles:
- webserver
EOF
Build the structure before writing implementation details.Role + playbook.
Step 3
Add Tasks and Handler
Install Nginx, deploy the config, and restart only when needed.
cat > roles/webserver/tasks/main.yml <<'EOF'
---
- name: Install Nginx
apt:
name: nginx
state: present
- name: Deploy Config
template:
src: nginx.conf.j2
dest: /etc/nginx/sites-enabled/default
notify: Restart Nginx
EOF
cat > roles/webserver/handlers/main.yml <<'EOF'
---
- name: Restart Nginx
service:
name: nginx
state: restarted
EOF
Install → configure → notify.Handler controls service restarts.
Step 4
Add Template and Defaults
Render the response from role variables.
cat > roles/webserver/templates/nginx.conf.j2 <<'EOF'
server {
listen {{ nginx_port }};
location / {
return 200 "Welcome to {{ company_name }}";
}
}
EOF
cat > roles/webserver/defaults/main.yml <<'EOF'
nginx_port: 80
company_name: CloudTech
EOF
Templates generate config. Defaults provide the starting values.Variable-driven output.
Step 5
Add Vault and Wire It Into the Playbook
Create the encrypted file, then load it with vars_files.
ansible-vault create secrets.yml vault_admin_password: SuperSecret123
cat > site.yml <<'EOF'
---
- hosts: web
become: yes
vars_files:
- secrets.yml
roles:
- webserver
EOF
Keep secrets in Vault, not in defaults or plaintext files.Encrypted variables loaded at run time.
Step 6
Run, Validate, and Re-Run
Execute the playbook, verify the result, then confirm idempotency.
ansible-playbook -i inventory.ini site.yml --ask-vault-pass systemctl status nginx curl localhost ansible-playbook -i inventory.ini site.yml --ask-vault-pass
Welcome to CloudTech changed=0
Validation proves the deployment. A second run proves automation quality.End-to-end result.
Wrap Up
Review Questions
Use these to confirm the core concepts.
- Why is Ansible described as agentless?
- What is the difference between a task and a module?
- Why do handlers matter?
- What does idempotency protect you from?
- Why keep secrets in Vault instead of plaintext files?
Connect each answer to a practical example.Review + extend
Closing
Day 24 completed.
Thank You
Next module: Jenkins CI/CD Pipelines
Reduced deck ready for a live session.20 slides total.
Slide 1
Navigation: ← → Home End