Ansible Configuration Management
Ansible playbooks and roles for OS hardening and RKE2 cluster installation. Ansible manages everything up to the point where Kubernetes is running β after that, Flux CD takes over.
See Ansible patterns for coding conventions.
Structure
ansible/
βββ playbooks/ # Top-level playbooks
β βββ site.yml # Full run: harden + install + post-harden
β βββ harden-os.yml # OS STIG hardening only
β βββ install-rke2.yml # RKE2 installation only
βββ roles/ # Reusable roles
β βββ os-hardening/ # Rocky Linux 9 DISA STIG
β βββ rke2-common/ # Shared RKE2 prerequisites
β βββ rke2-server/ # Control plane node setup
β βββ rke2-agent/ # Worker node setup
β βββ rke2-hardening/ # RKE2-specific STIG settings
βββ inventory/ # Per-environment inventories
β βββ dev/
β βββ staging/
β βββ production/
βββ ansible.cfg # Ansible configuration
Key Rules
- Always use FQCN (e.g.,
ansible.builtin.dnf, notdnf) - All tasks must be idempotent β running twice produces the same result
- Use
ansible-vaultfor any sensitive variables - Break task files by concern (sshd.yml, auditd.yml, etc.)
- Use handlers for service restarts