Getting started

Default configuration

At the initial deployment, the role will disable the default Redis instance configuration defined by the distribution packages. Next, a new, systemd-based instance will be created with the configuration like TCP ports and UNIX socket the same as the default Redis Server setup. This should allow easy creation of additional Redis instances when necessary.

Access control and authorization

The debops.redis_server role configures Redis Server instances with a randomly generated password, the same for all instances in the same domain. The password is stored in the secret/ directory on the Ansible Controller (see debops.secret role for details).

The Redis password can be accessed on the Redis hosts using the redis-password script. Only the users that have read access to the redis.conf configuration files will be able to use it; the role sets up an auxiliary redis-auth UNIX system group to allow members of this group access to the configuration. The script accepts an instance name as an argument; if not specified the main instance will be checked and the password will be retrieved from the configuration file.

To access the default Redis Server instance via the redis-cli interface, you can use the command:

redis-cli -a $(redis-password)

Redis password is also exposed in the Ansible local facts, so that other Ansible roles can use it to configure access to Redis by other applications. Run the /etc/ansible/facts.d/redis_server.fact script on the remote host to see the local fact structure and contents.

Example inventory

To enable Redis Server configuration on a host, it needs to be added to a specific Ansible inventory group:

[debops_service_redis_server]
hostname

By default Redis listens only for local connections on the loopback network interface. If you want to set up a cluster of Redis instances on different hosts that talk to each other, you should configure the default instance to bind to all network interfaces, as well as open the TCP ports in the firewall:

# Listen to TCP connections on all interfaces
redis_server__bind: [ '0.0.0.0', '::' ]

# Allow connections to Redis from specific subnets
redis_server__allow: [ '192.0.2.0/24', '2001:db8::/32' ]

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.redis_server role:

---

- name: Manage Redis server
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_service_redis_server' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  pre_tasks:

    - name: Prepare sysfs environment
      ansible.builtin.import_role:
        name: 'sysfs'
        tasks_from: 'main_env'
      tags: [ 'role::sysfs', 'role::secret' ]

    - name: Prepare redis_server environment
      ansible.builtin.import_role:
        name: 'redis_server'
        tasks_from: 'main_env'
      tags: [ 'role::redis_server', 'role::ferm' ]

  roles:

    - role: secret
      tags: [ 'role::secret', 'role::sysfs' ]
      secret__directories:
        - '{{ sysfs__secret__directories | d([]) }}'

    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ redis_server__apt_preferences__dependent_list }}'

    - role: etc_services
      tags: [ 'role::etc_services', 'skip::etc_services' ]
      etc_services__dependent_list:
        - '{{ redis_server__etc_services__dependent_list }}'

    - role: ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
      ferm__dependent_rules:
        - '{{ redis_server__ferm__dependent_rules }}'

    - role: sysctl
      tags: [ 'role::sysctl', 'skip::sysctl' ]
      sysctl__dependent_parameters:
        - '{{ redis_server__sysctl__dependent_parameters }}'

    - role: sysfs
      tags: [ 'role::sysfs', 'skip::sysfs' ]
      sysfs__dependent_attributes:
        - '{{ redis_server__sysfs__dependent_attributes }}'

    - role: python
      tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
      python__dependent_packages3:
        - '{{ redis_server__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ redis_server__python__dependent_packages2 }}'

    - role: redis_server
      tags: [ 'role::redis_server', 'skip::redis_server' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::redis_server

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.redis_server Ansible role: